Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Active Directory / How to Refresh AD Groups Membership Without User Logoff

September 21, 2016 Active Directory

How to Refresh AD Groups Membership Without User Logoff

 All administrators know that after a computer or a user is added to an Active Directory group the computer has to be reboot (if the computer account has been added to the domain group) or a user has to be logged off and on again to update group membership or apply assigned policies. It is necessary because the membership in AD groups is updated when a Kerberos ticket is created, which happens during the system boot and user login.

In come cases, the system reboot or user logoff is impossible for production reasons. At the same time you need to use the rights, access or apply new policies right now. There is an opportunity to update the membership of an account in Active Directory groups without computer restart or user relogin.

Note. The method described in this article will work only for network services supporting Kerberos authentication. The services working only with NTLM authentication still require logoff and logon of a user or Windows restart.

You can get the list of groups the current user is a member of in the command prompt using the following command:

whoami /groups

or GPResult

gpresult /r

gpresult: security groups membership

The list of groups a user is a member of is displayed in the section The user is a part of the following security groups.

Kerberos tickets can be reset without the restart of a computer using klist.exe . Klist is included in OS Windows since Windows 7. For XP and Windows Server 2003 it is installed as a part of Windows Server 2003 Resource Kit Tools.

To reset the whole cache of Kerberos tickets on a computer (a local system) and update the computer membership in AD groups, run the following command in the command prompt with the administrator privileges:

klist -lh 0 -li 0x3e7 purge

klist -lh 0 -li 0x3e7 purge

Note. 0x3e7 is a special identifier showing the session of the local computer (Local System).

After running the command and updating the policies, all policies assigned to the AD group using Security Filtering will be applied to the computer.

As for the user. Suppose that the user domain account has been added to the Active Directory group to access a file share. Obviously, without re-login a user won’t be able to access it.

share access denied

Reset all Kerberos tickets of the user with this command:

klist purge

klist purge

To see the updated list of groups, run a new command prompt window using runas for a new process to be created with a new security token.

For example, the AD group has been assigned to a user to access a network share. Try to access it using its FQDN name (e. g., \\lon-fs1.woshub.loc\Install) and make sure that the TGT ticket has been updated:

klist tgt

The network share to be accessed using the AD group will open without user re-login (!!! You must use the FQDN name).

fqdn path share access

2 comments
0
Facebook Twitter Google + Pinterest
previous post
Configuring Kerberos Authentication on IIS Website
next post
Fix Disk Is Write Protected Error in Windows 10

Related Reading

Searching AD Groups and Users using Wildcards

April 5, 2018

Securing Administrative (Priveleged) Accounts in Active Directory

March 27, 2018

Allow non-administrators RDP Access to Domain Controller

March 15, 2018

Finding the Source of Account Lockouts in Active...

March 2, 2018

Get-ADUser: Getting Active Directory Users Data via Powershell

February 14, 2018

2 comments

myst October 20, 2016 - 6:10 am

Nice Post…Interestingly enough you can also kill the explorer process….then create a new task with “runas /user:username@domain explorer”. Then you can use all your mappings as per usual.

Reply
Diego Sebastian January 26, 2018 - 11:20 am

On my domain only works this for a network drive:

@echo off
net use M: /d /y
gpupdate /force
net use M: \\10.11.12.233\Archivos /persistent:Yes
explorer.exe M:

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to increase KMS current count (count is insufficient)

    April 20, 2018
  • Installing a Let’s Encrypt Free SSL Certificate on IIS in Windows Server 2012 R2

    April 19, 2018
  • How to Disable “Open File Security Warnings” in Windows 10, 8 and 7

    April 18, 2018
  • Outlook 2016: Manual Setup Exchange Account

    April 16, 2018
  • Cannot Access SMB Network Shares after Windows 10 1709 Upgrade

    April 12, 2018
  • Installing KMS Server on Windows Server 2012 R2

    April 11, 2018
  • How to Clear Pagefile.sys at Shutdown in Windows 10 / 8 / 7

    April 10, 2018
  • Searching AD Groups and Users using Wildcards

    April 5, 2018
  • How to access VMFS Datastore from Linux, Windows and ESXi

    April 3, 2018
  • SMB 1.0 Support in Windows Server 2012 R2 / Windows Server 2016

    April 2, 2018
woshub.com

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Get-ADComputer: Getting Active Directory Computers Info via Powershell
  • How Automatically Fill Computer Description Field in Active Directory
  • Auditing Users Password Strength in AD
  • How to Set Windows User Account Picture From Active Directory
  • How to Import User Photo to Active Directory Using PowerShell
  • Configuring Network Devices Authentication using Active Directory
  • How to Find Blocked, Disabled or Inactive Objects in AD Using Search-ADAccount
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top