nope, the "refresh" (10 hours by default) will not re-enumerate an account's group-memberships - it will only check if the account still exists, enabled and hasn't expired and will refresh the ticket granting ticket (TGT) of the respective kerberos realm.
Actually, there's a nice little "feature" which you should be aware of in multi-domain forests: the kerberos refresh won't check the validity of an account for cross-realm tickets (i.e. tickets that an account received by accessing resources in other domains of the forest). This is a potential risk in case an account is disabled => the process will only disable the ticket for the account's own domain, but the account will still be able to access resources in other domains (as long as it is logged onto a machine). One more reason to stick to a single domain forest... /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Samstag, 14. Mai 2005 20:53 To: [email protected] Subject: Re: [ActiveDir] "Sticky" group membership I always thought access tokens were "refreshed" after a period of time or rerequested by the server? Am I wrong? I always thought logging off and on just got a new token faster but you could get on after a period of time passed by a server "refreshing" its token cache? Thanks -------------------------- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
