This is a question we receive frequently from our clients, how long does it take for permission change to take effect in Windows? The problem is there are three common types of permission changes and they each have different ways that they come into effect which means they have different timing. And then there is the question of what site you make the change in and how long it will take to replicate to other sites / offices.
In this short article we will get right to the facts to tell you how long it takes for things to replicate in Active Directory.
The technical answer this question is yes, but the practical answer to this question is, no. Let us explain. When you make a change to a group in Active Directory that change will take place instantly however because Windows only enumerates what groups a user belongs to at the time of logon changes to group membership will not be noticed by most users until after they log out and back in.
Yes, changes made to permissions on folders stored on NTFS volumes come into effect immediately. However when most people ask that question they are actually asking if They add a user to a group that has access to a particular folder does that come into effect right away? And the answer to that question is no. See the previous section
Permission changes to an active directory object like a user, a computer or a printer, Do come into effect immediately. However, that assumes that the object in question (i.e. User, Computer…) Is talking to the domain controller where you made the change. Otherwise you’ll have to wait for replication to complete which is usually just a few minutes.
You can think of intra-site replication as being instant because it is actually every 15 seconds. This means if you make a change to one domain controller, like adding a user, that user should show up on your other domain controllers and be visible in less than a minute as long as they are all in the same site.
The exception to this is critical directory updates like disabling the user, and those literally are instant.
By default active directory changes will replicate to other sites on a 3 hour interval. If you have no idea when the last replication took place and you have to guess come with a logical thing to do is to guess that you’re halfway through a sync cycle and so changes will be replicated to Domain Controllers in other sites within 1.5 hours.
If you work in a company that has more than a single office, you will be familiar with the concept of “sites” and therefore you should be familiar with Active Directory Sites and Services.
In most cases you can consider a site to be analogous to an office address. If you two offices in Toronto, one in Calgary and five in New York, your Active Directory will most likely have eight sites.
Sites and Services is where you define the boundaries of your sites. In particular you tell Active Directory the subnets and related Domain Controllers in each of your other sites.
Most companies use a mesh topology now so that all sites are connected to all sites simply to improve replication time and increase redundancy. However, if your company has a complex topology (like many banks and high security organizations), it could take multiple sync cycles for changes made in one site to replicate to another. For instance if you have Toronto replicating only with New York and New York replicates with London, changes made in Toronto could take 6 hours to show up in London (3 hours from Toronto to New York + 3 hours from New York to London).
Simply open a command prompt and type in RepAdmin /replsummary
The easiest way to force a replication in Active Directory across your different sites is to:
The DC Locator Service, uses DNS and Active Directory Sites and Services subnets to figure out where the nearest domain controller is, and that is the one the local computer will get authentication and object information from.
This website uses cookies.
View Comments
This article is a goldmine of information! I appreciate how you've broken down into such easily digestible chunks.