When Universal Group caching is enabled, a user's Universal Group membership is stored in their msDS-Cached-Membership attribute, along with the current time (msDS-Cached-Membership-Time-Stamp) and logon site (msDS-Site-Affinity). The msDS-Site-Affinity is replicated to the other domain controllers. When a user logs on again, the Universal Group SIDs are read from their msDS-Cached-Membership attributed, if their msDS-Cached-Membership-Time-Stamp is within the Cached Membership Staleness (minutes), a REG_DWORD data type, at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters, which defaults to 7 days.

See Universal Group caching for modifying the default 8 hours between cached membership updates, and the default 500 user per update limit.

If the cached membership is stale, a global catalogue is accessed to update the msDS-Cached-Membership and msDS-Cached-Membership-Time-Stamp attributes.