This is a question we receive frequently from our clients, how long does it take for permission change to take effect in Windows? The problem is there are three common types of permission changes and they each have different ways that they come into effect which means they have different timing. And then there is the question of what site you make the change in and how long it will take to replicate to other sites / offices.
In this short article we will get right to the facts to tell you how long it takes for things to replicate in Active Directory.
1 – Do Changes Made To Group Membership Take Effect Immediately?
The technical answer this question is yes, but the practical answer to this question is, no. Let us explain. When you make a change to a group in Active Directory that change will take place instantly however because Windows only enumerates what groups a user belongs to at the time of logon changes to group membership will not be noticed by most users until after they log out and back in.
2 – Are NTFS Permission Changes Instant?
Yes, changes made to permissions on folders stored on NTFS volumes come into effect immediately. However when most people ask that question they are actually asking if They add a user to a group that has access to a particular folder does that come into effect right away? And the answer to that question is no. See the previous section
3 – Do Changes to Permissions Assigned to Active Directory Objects (Like Users) Immediately Effective?
Permission changes to an active directory object like a user, a computer or a printer, Do come into effect immediately. However, that assumes that the object in question (i.e. User, Computer…) Is talking to the domain controller where you made the change. Otherwise you’ll have to wait for replication to complete which is usually just a few minutes.
How Long Does It Take For AD Changes to Replicate Within The Same Site?
You can think of intra-site replication as being instant because it is actually every 15 seconds. This means if you make a change to one domain controller, like adding a user, that user should show up on your other domain controllers and be visible in less than a minute as long as they are all in the same site.
The exception to this is critical directory updates like disabling the user, and those literally are instant.
How Long Does It Take For AD Changes to Replicate To Other Sites?
By default active directory changes will replicate to other sites on a 3 hour interval. If you have no idea when the last replication took place and you have to guess come with a logical thing to do is to guess that you’re halfway through a sync cycle and so changes will be replicated to Domain Controllers in other sites within 1.5 hours.
If you work in a company that has more than a single office, you will be familiar with the concept of “sites” and therefore you should be familiar with Active Directory Sites and Services.
In most cases you can consider a site to be analogous to an office address. If you two offices in Toronto, one in Calgary and five in New York, your Active Directory will most likely have eight sites.
Sites and Services is where you define the boundaries of your sites. In particular you tell Active Directory the subnets and related Domain Controllers in each of your other sites.
Most companies use a mesh topology now so that all sites are connected to all sites simply to improve replication time and increase redundancy. However, if your company has a complex topology (like many banks and high security organizations), it could take multiple sync cycles for changes made in one site to replicate to another. For instance if you have Toronto replicating only with New York and New York replicates with London, changes made in Toronto could take 6 hours to show up in London (3 hours from Toronto to New York + 3 hours from New York to London).
How To Determine When Then Last Active Directory Sync Occurred
Simply open a command prompt and type in RepAdmin /replsummary
How To Force a Manual AD Replication Right Now
The easiest way to force a replication in Active Directory across your different sites is to:
- launch Active Directory Sites and Services
- Expand the site you made your change in
- Expand SERVERS
- Expand one of the DC servers
- Expand NTDS SETTINGS
- Right click on Automatically Replicated and select REPLICATE NOW
How Does Active Directory Figure Out Which DC a Computer Should Use?
The DC Locator Service, uses DNS and Active Directory Sites and Services subnets to figure out where the nearest domain controller is, and that is the one the local computer will get authentication and object information from.
1 Comment
Lorena Pierce · October 24, 2023 at 9:08 am
This article is a goldmine of information! I appreciate how you’ve broken down into such easily digestible chunks.