Guest

Cisco Web Security Appliance

Why does a user still maintain permissions even after removed from AD group?

Document ID: 117951

Updated: Jul 16, 2014

Contributed by Cordelia Naumann and Siddharth Rajpathak, Cisco TAC Engineers.

   Print

Question

Why does a user still maintain permissions even after removed from AD group?


Environment
: Cisco Web Security Appliance (WSA), all versions of AsyncOS

Windows users log in to a domain member workstation and in the authentication process their "keychain" of permissions is fetched from the domain controller they authenticate against. This process is only performed at login time. Therefore, any AD group membership changes made while a user is still logged in won't affect that user until they log out and log back in again, because NTLM credentials are cached for each session.

Updated: Jul 16, 2014
Document ID: 117951