I’m new to EpiServer and wondered if someone could explain whether the below is default EpiServer behavior or a bug in our particular setup.

We are running EpiServer to power our Intranet and have it setup with user information coming over from Active Directory but security groups being managed by EpiServer; users are automatically logged into the EpiServer CMS when they open their browser and logging out or switching login accounts is not permitted.

During my testing I’ve found that adding/removing users from EpiServer security groups does not take effect until the user starts a new browser/login session i.e. they either close and re-open their browser OR allow their session to time-out.

Is it default EpiServer behavior to find that removing a user from the Administrators group, for example, does not take affect until the user closes their browser e.g. you remove a user from the administrators group and find that the security change does not instantly take effect and the user continues to have full administrator access, including the ability to re-add their account to the administrator group, until a new browser/login session is started?

Any information regarding whether the above is an implementation/configuration issue on our environment or default EpiServer behavior would be appreciated.