adclient.cache.expires.user

This configuration parameter specifies the number of seconds before a user object in the domain controller cache expires. If this parameter is not specified, the object cache expiration value from adclient.cache.expires is used.

How the Domain Controller Cache Works

Every user object retrieved from Active Directory is stamped with the system time when it enters the domain controller cache. Once an object expires, if it is needed again, the agent contacts Active Directory to determine whether to retrieve an updated object (because the object has changed) or renew the expired object (because no changes have been made). To make this determination, the agent checks the highest update sequence number (USN) for the expired object. If the value has changed, the agent retrieves the updated object. If the highest USN has not changed, the agent resets the object’s timestamp to the new system time and retrieves the object from the cache.

If the agent is unable to contact Active Directory to check for updates to an expired object—for example, because the computer is disconnected from the network—the agent returns the currently cached object until it can successfully contact Active Directory.

When a user logs in, the user's group membership is retrieved from the Privilege Authorization Certificate (PAC), not the cache. User attributes and zone data are retrieved from the cache. If the cache entry for the user has expired, adclient refreshes the data synchronously and blocks the user's login attempt until the refresh is complete.

Considerations for Choosing the Value

Increasing the value of this parameter can yield performance benefits. The number of AD queries is reduced, because data is served from the cache instead. The load on the AD server is reduced. In addition, enumeration responses are faster, because looking up data from the cache is faster than a live query.

Related Parameters

The adclient.cache.expires.user parameter works in combination with other related parameters:

• adclient.cache.expires is the base parameter which governs this set of parameters. It defines the default cache expiration time for all types of objects. Its setting is used if it is not overridden by other parameters, such as adclient.cache.expires.user.

• adclient.cache.expires.user.membership can be used to override the setting in adclient.cache.expires.user for the amount of time before a user’s group membership information in the domain controller cache expires.

Setting adclient.cache.expires.user

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

If you are manually setting this parameter, the parameter value must be a positive integer. The following example sets the cache expiration time for user objects to 1800 seconds (30 minutes):

adclient.cache.expires.user: 1800

The default cache expiration time for all types of object is defined with the adclient.cache.expires parameter. If you explicitly set the adclient.cache.expires.user parameter, its value overrides the default value for cached objects.