How to Disable Universal Group Membership Caching in all Sites using a Script

Starting with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC) caches a user’s membership in Universal Groups on domain controllers authenticating the user. This feature allows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting a Global Catalog.

Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides Universal Group membership information for the user’s account at the time the user logs on to the domain to the authenticating domain controller.

UGMC is generally a good idea for multiple domain forests when:

1.       Universal Group membership does not change frequently.

2.       Low WAN bandwidth between Domain Controllers in different sites.

It is also recommended to disable UGMC if all Domain Controllers in a forest are Global Catalogs.

To learn more about Universal Group Membership Caching please visit:

TechNet Support WebCast: Overview of universal group caching in Microsoft Windows Server 200 at http://support.microsoft.com/kb/893435

The Role of the Global Catalog at http://technet.microsoft.com/en-us/library/cc736934(WS.10).aspx

 

Understanding the Script:

Script Repository: Active Directory

http://www.microsoft.com/technet/scriptcenter/scripts/ad/default.mspx?mfr=true

 

APPLIES TO

·         Microsoft Windows Server 2008

 

 

Visual Basic
Edit|Remove

Set objRootDSE = GetObject("LDAP://RootDSE")
strConfigurationNC = objRootDSE.Get("configurationNamingContext")
 
strSitesContainer = "LDAP://cn=Sites," & strConfigurationNC
Set objSitesContainer = GetObject(strSitesContainer)
objSitesContainer.Filter = Array("site")
 
For Each objSite In objSitesContainer
    strSiteName = objSite.Name
    strNTDSSettings = "LDAP://cn=NTDS Site Settings," & strSiteName & ",cn=Sites," & _
        strConfigurationNC
    
Set ObjNTDSSettings = GetObject(strNTDSSettings)
    objNTDSSettings.Options = "0"    ‘0=Disabled, 1=Enabled
    objNTDSSettings.SetInfo
Next
 

·         Microsoft Windows Server 2003

·         Microsoft Windows 2000 Server