PDF(5.8 KB) View with Adobe Reader on a variety of devices
Updated:July 16, 2014
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Why does a user still maintain permissions even after removed from AD group?
Environment: Cisco Web Security Appliance (WSA), all versions of AsyncOS
Windows users log in to a domain member workstation and in the authentication process their "keychain" of permissions is fetched from the domain controller they authenticate against. This process is only performed at login time. Therefore, any AD group membership changes made while a user is still logged in won't affect that user until they log out and log back in again, because NTLM credentials are cached for each session.