This should happen automatically and immediately once there has been a change to anyones AD Group Membership (you could use their kerberos/NTLM/Windows Authentication to achieve that), and/or allow this to be specified by an admin in the DPS Console.
The reason for requesting this feature, is because;
* We offer RDM as a Microsoft RemoteApp, which is accessed through RDWeb. (RDM itself is running on multiple terminal servers)
* We use a PAM solution, and as such, our users activate their rights on a need-to-need basis, which effectively puts them in/out of a security group that has been given pre-defined rights to a repository.
Ideally; changes in a users’ AD Group memberships shouldn’t be cached at all, it should happen on-the-fly, and you can prevent reading the whole AD for changes to all users, by specifying that users have to be a part of a certain AD group to begin with, so that only users who are a part of that certain AD group, will have their group memberships refreshed on-the-fly.
We use to check the AD group automatically on logging but this was causing DPS huge performance issue. This is why we synchronize the AD group instead now. I will talk with the team and verify if we can find a better way.
I understand that this could cause the user experience to be a bit sluggish, but there's a way around this, which would be to let administrators define a certain AD group where any members within this AD group will have all their AD Group Memberships updated without delay.
As otherwise, using RDM in environments that are using PAM/PIM solutions as a need for a better access control will suffer.
All the best.