Security in
Windows 2000 Server is based on tokens. When you log on, the operating system
creates a token for you that contains all the security identifiers (SIDs) for
the groups you belong to and your privileges. Whenever you try to access a
resource, the operating system checks your token and the ACL on the resource to
determine if you’re allowed to access that resource.

By default,
Internet Information Services (IIS) caches the token and waits 15 minutes
before updating. This delay can cause a problem in some situations, such as
after changing passwords. You have two options for eliminating this wait: One,
stop and start all IIS services. Or two, change the default update interval,
which you can do through a registry edit.

To change
IIS’s default update interval, first open the Registry Editor (Regedt32.exe)
and go to registry key:



  1. On
    the Edit menu, click Add Value, type “UserTokenTTL” in the Value Name
    text box, and select REG_DWORD as the Data Type.
  2. In
    the Data box, type the number of seconds for the token to be cached. (For
    Windows 2000 IIS5 the minimum is 1 second.)
  3. Close
    the Registry Editor and then stop and restart all IIS services.

For performance
reasons, be careful not to set the UserTokenTTL value too low. If you make updates infrequently, use the
stop-restart method mentioned in paragraph two, above.

Note: Editing the registry can be risky, so be sure
you have a verified backup before making any changes.

Miss a column?

Check out the Windows 2000 Server archive, and catch up on the most recent editions of Jim Boyce’s column.

Want more Win2K tips and tricks? Automatically sign up for our free Windows 2000 Server newsletter, delivered each Tuesday!