Thursday, June 28, 2018

AD Query still returns old user name after user name was changed at domain controller


Consider the following scenario:

  1. On the domain member computer, an application calls the LsaLookupSids function to translate a security identifier (SID) to a user name.
  2. The user name has been changed on a domain controller.
  3. In this scenario, the LsaLookupSids function may return the old user name instead of the new user name. This behavior may prevent the application from working correctly.


The local security authority (LSA) caches the mapping between the SID and the user name in a local cache on the domain member computer. The cached user name is not synchronized with domain controllers. The LSA on the domain member computer first queries the local SID cache. If an existing mapping is already in the local SID cache, the LSA returns the cached user name information instead of querying the domain controllers. This behavior is intended to improve performance.

The cache entries do time out, however chances are that recurring queries by applications keep the existing cache entry alive for the maximum lifetime of the cache entry.


To work around this issue, disable the local SID cache on the domain member computer as follows.

  1. In RegEdit, locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  2. Create a new DWORD directly under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa", name it LsaLookupCacheMaxSize and assign value 0.
  3. Reboot may not be required.

Note The LsaLookupCacheMaxSize registry entry sets the maximum number of cached mappings that can be saved in the local SID cache. The default maximum number is 128. When the LsaLookupCacheMaxSize registry entry is set to 0, the local SID cache is disabled.


No comments: