Click here to return to the KiXtart HelpDesk main page...

KiXtart 2001 Manual

Group Membership Information

Introduction

KiXtart provides functions to test or enumerate the group-membership of the current user (specifically: InGroup() and EnumGroup()). These functions operate on an in-memory list of groups the user is a member of. This list is filled once during every KiXtart session (in other words: once every time you run KIX32.EXE). 

Previous versions of KiXtart always queried the logonserver for the group-membership information. This provided information on both local and global groups in the logondomain. As of KiXtart 2001, KiXtart retrieves group-membership information using the security token of the current user. The benefit of the new method is that KiXtart can now support universal groups as well as nested global groups.


Note: Because a security token is created during the logon of a user and does not change while that user is logged on, changes to the userís group-membership are not visible to KiXtart until the next time the user logs on.

Group-membership information cache

As both methods of retrieving the group-membership are relatively costly in terms of network traffic and process time the latest update of KiXtart caches the group-membership information in the registry. This means that once the cache is filled, subsequent runs of KIX32.EXE will require much less time to retrieve the group-membership information.

The group-membership cache is stored in the registry hive of the current user and contains security-identifier-to-groupname mappings. Changes to a user's group-membership are automatically handled by KiXtart during the next logon.


Note: If an existing group is renamed, that change will not be visible to KiXtart until the next time the token-cache is refreshed.

The cache is automatically refreshed every 30 days.

A refresh of the cache can also be forced using the new '/f' command line option:

KIX32 <yourscript> /f

Optionally, you can include a date, indicating how old the cache must be for it to be refreshed:

KIX32 <yourscript> /f:2001/12/31


Note: The group-membership cache feature of KiXtart is only available on Windows NT or higher.