How to Refresh AD Groups Membership Without User Logoff


the system reboot or user logoff is impossible for production reasons. At the same time you need to use the rights, access or apply new policies right now. There is an opportunity to update the membership of an account in Active Directory groups without computer restart or user relogin.

Note. The method described in this article will work only for network services supporting Kerberos authentication. The services working only with NTLM authentication still require logoff and logon of a user or Windows restart.

You can get the list of groups the current user is a member of in the command prompt using the following command:

whoami /groups

or GPResult

gpresult /r

gpresult: security groups membership

The list of groups a user is a member of is displayed in the section The user is a part of the following security groups.

Kerberos tickets can be reset without the restart of a computer using klist.exe . Klist is included in OS Windows since Windows 7. For XP and Windows Server 2003 it is installed as a part of Windows Server 2003 Resource Kit Tools.

To reset the whole cache of Kerberos tickets on a computer (a local system) and update the computer membership in AD groups, run the following command in the command prompt with the administrator privileges:

klist -lh 0 -li 0x3e7 purge

klist -lh 0 -li 0x3e7 purge

Note. 0x3e7 is a special identifier showing the session of the local computer (Local System).

After running the command and updating the policies, all policies assigned to the AD group using Security Filtering will be applied to the computer.

As for the user. Suppose that the user domain account has been added to the Active Directory group to access a file share. Obviously, without re-login a user won’t be able to access it.

share access denied

Reset all Kerberos tickets of the user with this command:

klist purge

klist purge

To see the updated list of groups, run a new command prompt window using runas for a new process to be created with a new security token.

For example, the AD group has been assigned to a user to access a network share. Try to access it using its FQDN name (e. g., \\lon-fs1.woshub.loc\Install) and make sure that the TGT ticket has been updated:

klist tgt

The network share to be accessed using the AD group will open without user re-login (!!! You must use the FQDN name).

fqdn path share access

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: