in short: you are 100% correct. Yes, 4.01 indeed uses the user's security token to retrieve group membership information instead of a query of the SAM/DS (as used by previous versions of KiXtart).

This indeed has the side-effect that changes in group-membership are reflected the next time a user logs on.

So why did I change this? Well, the new mechanism enables me to determine a complete list of groups, including BUILTIN Groups, Universal Groups and nested Global Groups.

Hope this clarifies things, and I will look at adding a paragraph on this to the documentation.

Kind regards,

Ruud