adclient.cache.expires.group.membership

This configuration parameter specifies the number of seconds before the group object's membership in the domain controller cache expires. This object stores data about which users are members of the group. The domain controller cache contains object attributes including the object’s Active Directory properties, memberships, indexes and other parameters.

If this parameter is not specified, the object cache expiration value from from adclient.cache.expires.group is used. If that is not specified, adclient.cache.expires is used.

Every group membership object retrieved from Active Directory is stamped with the system time when it enters the domain controller cache. Once an object expires, if it is needed again, the agent contacts Active Directory to determine whether to retrieve an updated object (because the object has changed) or renew the expired object (because no changes have been made). To make this determination, the agent checks the highest update sequence number (USN) for the expired object. If the value has changed, the agent retrieves the updated object. If the highest USN has not changed, the agent resets the object’s timestamp to the new system time and retrieves the object from the cache.

If the agent is unable to contact Active Directory to check for updates to an expired object—for example, because the computer is disconnected from the network—the agent returns the currently cached object until it can successfully contact Active Directory.

If you are manually setting this parameter, the parameter value must be a positive integer. The following example sets the cache expiration time for group objects to 1800 seconds (30 minutes):

adclient.cache.expires.group.membership: 1800

The default cache expiration time for all objects types is defined with the adclient.cache.expires parameter. If you explicitly set the adclient.cache.expires.group.membership parameter, its value overrides the default value for cached objects.