Posted on September 21, 2016 · Posted in Active Directory

How to Refresh AD Groups Membership Without User Logoff

 All administrators know that after a computer or a user is added to an Active Directory group the computer has to be reboot (if the computer account has been added to the domain group) or a user has to be logged off and on again to update group membership or apply assigned policies. It is necessary because the membership in AD groups is updated when a Kerberos ticket is created, which happens during the system boot and user login.

In come cases, the system reboot or user logoff is impossible for production reasons. At the same time you need to use the rights, access or apply new policies right now. There is an opportunity to update the membership of an account in Active Directory groups without computer restart or user relogin.

Note. The method described in this article will work only for network services supporting Kerberos authentication. The services working only with NTLM authentication still require logoff and logon of a user or Windows restart.

You can get the list of groups the current user is a member of in the command prompt using the following command:

whoami /groups

or GPResult

gpresult /r

gpresult: security groups membership

The list of groups a user is a member of is displayed in the section The user is a part of the following security groups.

Kerberos tickets can be reset without the restart of a computer using klist.exe . Klist is included in OS Windows since Windows 7. For XP and Windows Server 2003 it is installed as a part of Windows Server 2003 Resource Kit Tools.

To reset the whole cache of Kerberos tickets on a computer (a local system) and update the computer membership in AD groups, run the following command in the command prompt with the administrator privileges:

klist -lh 0 -li 0x3e7 purge

klist -lh 0 -li 0x3e7 purge

Note. 0x3e7 is a special identifier showing the session of the local computer (Local System).

After running the command and updating the policies, all policies assigned to the AD group using Security Filtering will be applied to the computer.

As for the user. Suppose that the user domain account has been added to the Active Directory group to access a file share. Obviously, without re-login a user won’t be able to access it.

share access denied

Reset all Kerberos tickets of the user with this command:

klist purge

klist purge

To see the updated list of groups, run a new command prompt window using runas for a new process to be created with a new security token.

For example, the AD group has been assigned to a user to access a network share. Try to access it using its FQDN name (e. g., \\lon-fs1.woshub.loc\Install) and make sure that the TGT ticket has been updated:

klist tgt

The network share to be accessed using the AD group will open without user re-login (!!! You must use the FQDN name).

fqdn path share access

Related Articles