Registry Entries Used to Configure Caching Behavior
| Registry Entry | Type | Default Value | Notes |
| Cached Membership Site Stickiness (minutes) | DWORD |
172800 (Value is in minutes. This setting equals 180 days) |
Defines how long the site affinity will remain in effect. The site affinity value is updated when half of the period defined by this value has expired. If an account has not logged on with a domain controller for a period of one half of this value or longer, the account is removed from the list of accounts whose memberships are being refreshed. The default value is recommended. |
| Cached Membership Staleness (minutes) | DWORD |
10080 (Value is in minutes. This setting equals 7 days) |
Determines the maximum staleness value when using cached group membership. The account cannot log on if the cached membership list is older than the staleness value and if no global catalog server is available. The default value is recommended. |
| Cached Membership Refresh Interval (minutes) | DWORD |
480 (Value is in minutes. This setting equals 8 hours) |
Defines the length of time between group membership cache refreshes. This value should be changed to synchronize once a day (1440 minutes). For dial-up connections, you might want a higher value than 24 hours. Lowering the value to increase the frequency of cache refresh is not recommended because it causes increased WAN traffic, potentially defeating the purpose of Universal Group Membership Caching. |
| Cached Membership Refresh Limit | DWORD | 500 | Defines the maximum number of user and computer accounts that are refreshed. Increase this setting only if event ID 1669 occurs in the event log or you have more than 500 users and computers in a branch. If the number of users and computers in a branch exceeds 500, a general recommendation is to either place a global catalog server in the branch or increase the Cached Membership Refresh Limit above 500. Be aware that increasing the limit might incur more WAN traffic than that caused by global catalog update traffic. |
| SamNoGcLogonEnforceKerberosIpCheck | DWORD | 0 | By default, allows site affinity to be tracked for Kerberos logons that originate outside the site. A value of 1 configures SAM so it does not give site affinity to Kerberos logon requests that originate outside the current site. This option should be configured to 1 on domain controllers in the branch-sites to prevent logon requests from outside the site being given affinity for the local site. This setting prevents an account’s affinity from being changed during the logon process when connecting to a Kerberos key distribution center (KDC) outside of the account’s site. |
| SamNoGcLogonEnforceNTLMCheck | DWORD | 0 | Configures SAM to not give site affinity to NTLM logon requests that are network logon requests. This setting reduces the number of accounts with site affinity by excluding those that simply accessed network resources (by using NTLM). This option should not be enabled if you use older clients that must authenticate from outside the branch to local resources in the branch. |
Source: Microsoft Corporation