How to Refresh AD Groups Membership without Reboot/Logoff?

All Windows admins know that after a pc or a person is added to an Active Directory safety group, new permissions to entry area sources or new GPOs are . To replace group membership and apply the assigned permissions or Group Policies, you want to restart the pc (if a pc account was added to the area group) or carry out a logoff and logon (for the person). This is as a result of AD group memberships are up to date when a Kerberos ticket is created, which happens on system startup or when a person authenticates throughout login.

In come instances, the pc reboot or person logoff can’t be carried out instantly for manufacturing causes. At the identical time you want to use the permissions, entry or apply new Group Policies proper now. In such instances, you may replace the account membership in Active Directory teams without pc reboot or person re-login utilizing the klist.exe instrument.

Note. The methodology described on this article will work just for community providers that assist Kerberos authentication. The providers working solely with nonetheless require logoff + logon of a person or Windows restart.

You can get the record of teams the present person is a member of within the command immediate utilizing the next instructions:

whoami /teams


gpresult /r

The record of teams a person is a member of is displayed within the part The person is part of the next safety teams.

You can reset present Kerberos tickets without reboot utilizing the klist.exe instrument. Klist is a built-in system instrument ranging from Windows 7. For Windows XP/Windows Server 2003 klist is put in as part of Windows Server 2003 Resource Kit Tools.

How to Refresh Kerberos Ticket and Update Computer Group Membership without Reboot?

To reset the complete cache of Kerberos tickets of a pc (native system) and replace the pc’s membership in AD teams, you want to run the next command within the elevated command immediate:

klist -li zero:0x3e7 purge

Note. 0x3e7 is a particular identifier that factors to a session of the native pc (Local System).

After operating the command and updating the insurance policies (you may replace the insurance policies with the gpupdate /pressure command), all Group Policies assigned to the AD group by way of Security Filtering shall be utilized to the pc.

If the LSA entry restriction insurance policies is configured in your area (for instance, the limiting the usage of SeDebugPrivilege), or different safety insurance policies, in some instances if you run the klist -li zero: 0x3e7 purge command, you get an error like: “Error calling API LsaCallAuthenticationPackage”:

Current LogonId is zero:0x3d2de2
Targeted LogonId is zero:0x3e7
*** You should run this instrument whereas being elevated, and it's essential to have TCB or be a neighborhood admin.***
klist failed with 0xc0000001/-1073741823: 
The requested operation was unsuccessful.

In this case you may purge your pc Kerberos ticket on behalf of  NT AUTHORITYSYSTEM. The easiest method to do that is with the psexec instrument:

psexec -s -i -d cmd.exe – run cmd on behalf of Local System

klist purge – pc ticket reset

gpupdate /pressure – replace GPO

Klist: Purge User Kerberos Ticket without Logoff

Another command is used to replace the assigned Active Directory safety teams in person session. For instance, a site person account has been added to an Active Directory group to entry a shared community folder. The person gained’t have the ability to entry this shared folder without logoff.

In order to refresh Kerberos tickets of the person use this command:

klist purge

Current LogonId is zero:0x5e3d69
Deleting all tickets:
Ticket(s) purged!

To see the up to date record of teams, you want to run a brand new command immediate utilizing (so new course of is created with a brand new safety token).

On the RDS server you may reset Kerberos tickets for all person distant classes without delay utilizing the next PowerShell one-liner:

Get-WmiObject Win32_LogonSession | Where-Object | ForEvery-Object

Suppose the AD group has been assigned to a person to entry a shared folder. Try to entry it utilizing its FQDN title (!!! that is essential, for instance, lon-fs1.woshub.locInstall). At this level, a brand new Kerberos ticket is issued to the person. You can verify that the TGT ticket has been up to date:

klist tgt

(see Cached TGT Start Time worth)

The shared folder to which entry was granted by way of the AD group ought to open without person logoff.

You can verify that the person obtained a brand new TGT with up to date safety teams (without logging off) with the whoami /all command.

We remind you that this manner of updating safety group membership will work just for providers that assist Kerberos. For providers with NTLM authentication, a pc reboot or person logoff is required to replace the token.

Check Also

Configuring L2TP/IPSec VPN Connection Behind a NAT, VPN Error Code 809

Due to disabling PPTP VPN help in iOS, one in all my shoppers determined to …

Leave a Reply

Your email address will not be published. Required fields are marked *