Does an SMB share server "cache" permissions?

Question

I'm trying to set up a somewhat complex access scenario for a shared folder (domain-joined Windows Server 2022) and I'm having some really weird things happen.

I've created 3 groups in AD: Top Test Group, Test Group A and Test Group B. Test group A and B are both placed inside Top Test Group.

I've set up a simple share and I've given access to Top Test Group. I've then tried accessing it with my non-admin account and found that I don't have access. Well... no surprises there - I forgot to add myself to one of the groups! But after adding myself to Test Group A I... still didn't have access. Effective Access check showed this as well. When I checked Top Test Group with Effective Access then I saw the expected permission set.

After a few minutes the Effective Access did finally show the expected permission set for my user but I was still unable to access the network share itself (Top Test Group has read/write share permissions).

This would suggest permissions are somehow cached AND they're cached by different systems for different durations but I don't recall such a thing for SMB shares and I always thought they "update" instantly (changing of permissions / groups).

Any idea what's happening here?

Answer 1

As @djdomi wrote: The group memberships of your account are not updated on the fly.

When logging in to a Windows domain, you get a “ticket” containing information about your current group memberships from which servers can deduce whether you should be allowed to access a specific resource. This ticket needs to be replaced with a new one containing the current group membership information if your user gets added to new groups.

Logging off and back on again is the common way of updating this information.