adclient.cache.expires.user.membership

This configuration parameter specifies the number of seconds before a user’s group membership information in the domain controller cache expires. If this parameter is not specified, the user object cache expiration value (adclient.cache.expires.user) is used.

Every user object retrieved from Active Directory is stamped with the system time when it enters the domain controller cache. Once an object expires, if it is needed again, the agent contacts Active Directory to determine whether to retrieve an updated object (because the object has changed) or renew the expired object (because no changes have been made). To make this determination, the agent checks the highestUSN for the expired object. If the value has changed, the agent retrieves the updated object. If the highestUSN has not changed, the agent resets the object’s timestamp to the new system time and retrieves the object from the cache.

If the agent is unable to contact Active Directory to check for updates to an expired object—for example because the computer is disconnected from the network—the agent returns the currently cached object until it can successfully contact Active Directory.

If you are manually setting this parameter, the parameter value must be a positive integer. The following example sets the cache expiration time for user objects to 1800 seconds (30 minutes):

adclient.cache.expires.user.membership: 1800

The default cache expiration time for all objects types is defined with the adclient.cache.expires parameter. If you explicitly set the adclient.cache.expires.user.membership parameter, its value overrides the default value for cache objects.