Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Active Directory / How to Refresh AD Groups Membership without Reboot/Logoff?

May 8, 2020 Active DirectoryGroup Policies

How to Refresh AD Groups Membership without Reboot/Logoff?

All Windows admins know that after a computer or a user is added to an Active Directory security group, new permissions to access domain resources or new GPOs are not immediately applied. To update group membership and apply the assigned permissions or Group Policies, you need to restart the computer (if a computer account was added to the domain group) or perform a logoff and logon (for the user). This is because AD group memberships are updated when a Kerberos ticket is created, which occurs on system startup or when a user authenticates during login.

In come cases, the computer reboot or user logoff cannot be performed immediately for production reasons. At the same time you need to use the permissions, access or apply new Group Policies right now. In such cases, you can update the account membership in Active Directory groups without computer reboot or user re-login using the klist.exe tool.

Note. The method described in this article will work only for network services that support Kerberos authentication. The services working only with NTLM authentication still require logoff + logon of a user or Windows restart.

You can get the list of groups the current user is a member of in the command prompt using the following commands:

whoami /groups

or GPResult

gpresult /r

gpresult: security groups membership

The list of groups a user is a member of is displayed in the section The user is a part of the following security groups.

You can reset current Kerberos tickets without reboot using the klist.exe tool. Klist is a built-in system tool starting from Windows 7. For Windows XP/Windows Server 2003 klist is installed as a part of Windows Server 2003 Resource Kit Tools.

How to Refresh Kerberos Ticket and Update Computer Group Membership without Reboot?

To reset the entire cache of Kerberos tickets of a computer (local system) and update the computer’s membership in AD groups, you need to run the following command in the elevated command prompt:

klist -li 0:0x3e7 purge

klist -lh 0 -li 0x3e7 purge

Note. 0x3e7 is a special identifier that points to a session of the local computer (Local System).

After running the command and updating the policies (you can update the policies with the gpupdate /force command), all Group Policies assigned to the AD group through Security Filtering will be applied to the computer.

If the LSA access restriction policies is configured in your domain (for example, the Debug Program policy restricting the use of SeDebugPrivilege), or other security policies, in some cases when you run the klist -li 0: 0x3e7 purge command, you get an error like: “Error calling API LsaCallAuthenticationPackage”:

Current LogonId is 0:0x3d2de2
Targeted LogonId is 0:0x3e7
*** You must run this tool while being elevated, and you must have TCB or be a local admin.***
klist failed with 0xc0000001/-1073741823: {Operation Failed}
The requested operation was unsuccessful.

klist 0x3e7 purge failed with 0xc0000001

In this case you can purge your computer Kerberos ticket on behalf of  NT AUTHORITY\SYSTEM. The easiest way to do this is with the psexec tool:

psexec -s -i -d cmd.exe – run cmd on behalf of Local System

klist purge – computer ticket reset

gpupdate /force – update GPO

Klist: Purge User Kerberos Ticket without Logoff

Another command is used to update the assigned Active Directory security groups in user session. For example, a domain user account has been added to an Active Directory group to access a shared network folder. The user won’t be able to access this shared folder without logoff.

share access denied

In order to refresh Kerberos tickets of the user use this command:

klist purge

Current LogonId is 0:0x5e3d69
Deleting all tickets:
Ticket(s) purged!

klist purge

To see the updated list of groups, you need to run a new command prompt using runas (so that a new process is created with a new security token).

On the RDS server you can reset Kerberos tickets for all user remote sessions at once using the following PowerShell one-liner:

Get-WmiObject Win32_LogonSession | Where-Object {$_.AuthenticationPackage -ne 'NTLM'} | ForEach-Object {klist.exe purge -li ([Convert]::ToString($_.LogonId, 16))}

Suppose the AD group has been assigned to a user to access a shared folder. Try to access it using its FQDN name (!!! this is important, for example, \\lon-fs1.woshub.loc\Install). At this point, a new Kerberos ticket is issued to the user. You can check that the TGT ticket has been updated:

klist tgt

(see Cached TGT Start Time value)

klist tgt renewed ticket

The shared folder to which access was granted through the AD group should open without user logoff.

You can check that the user received a new TGT with updated security groups (without logging off) with the whoami /all command.

fqdn path share access

We remind you that this way of updating security group membership will work only for services that support Kerberos. For services with NTLM authentication, a computer reboot or user logoff is required to update the token.

8 comments
8
Facebook Twitter Google + Pinterest
previous post
Fix: Network Printer Goes Offline on Windows
next post
An Internal Error has Occurred: Remote Desktop Connection Error

Related Reading

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

How to Find Inactive Computers and Users in...

January 29, 2021

Checking User Logon History in Active Directory Domain...

January 22, 2021

How to Disable/Remove Thumbs.db File on Network Folders...

January 21, 2021

8 comments

myst October 20, 2016 - 6:10 am

Nice Post…Interestingly enough you can also kill the explorer process….then create a new task with “runas /user:username@domain explorer”. Then you can use all your mappings as per usual.

Reply
Diego Sebastian January 26, 2018 - 11:20 am

On my domain only works this for a network drive:

@echo off
net use M: /d /y
gpupdate /force
net use M: \\10.11.12.233\Archivos /persistent:Yes
explorer.exe M:

Reply
Andrew September 6, 2018 - 8:42 am

The reason this works is because your connection of the mapped drive effectively creates a logon session on the remote fileserver. Then the memberships are re-evaluated by -that- server and it allows the connection, even if your local system hasn’t yet recognised the new membership.

Reply
DIEGO SEBASTIAN September 6, 2018 - 10:12 am

Sure. Anyways not always works without reboot the computer. Sometimes (and I do not know why) it is necesary reboot the client computer for update the internal permissions on NAS folders.

Reply
Mike Wynn October 4, 2019 - 9:48 pm

For a service ID (instead of a user ID), does “klist purge” work refresh the AD group membership ? A service ID is used for running a Windows service and no logon/logoff is allowed.

Reply
Samuel February 2, 2021 - 11:26 am

Hello,

On a Windows Server 2016 in a Windows Server 2012 R2 Active Directory. Each command is use in an administrative shell

– The server is in the group “test computer group”
– gpresult /r –> Server is confirmed in the group
– In active directory, removes the server of the group
– Force AD resync and wait 5 min (to be sure resync is ok)
– gpresult /r –> Server is still in the group (normal)
– klist -li 0:0x3e7 purge –>
LogonId est 0:0x3bbed
Suppression de tous les tickets :
ticket(s) supprimé(s) !
– gpupdate /force –> Update without error
– gpresult /r –> Server is still in the group (huh ?)
– Reboot of the server
– gpresult /r –> Server is confirmed not in the group (Normal)

So, are there some configuration items to point why this procedure doesn’t work on my servers ?

Reply
Chad February 2, 2021 - 10:35 pm

This stopped working for me as well. I’m confident it was working a few months ago in a different AD environment. Strange.

Reply
Matthew McDonald February 16, 2021 - 11:12 pm

This does not work for me. I can see the new group memberships via a new cmd prompt using runas and with whoami /groups, however until Explorer is restarted and using runas to start a new explorer process, the user is never seen to be a member of the new groups.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Troubleshoot, Repair and Rebuild the WMI Repository?

    March 2, 2021
  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Changing Desktop Background Wallpaper in Windows through GPO
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top