Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Refresh AD Groups Membership without Reboot/Logoff

July 15, 2023 Active DirectoryGroup PoliciesWindows 10Windows Server 2019

Refresh AD Groups Membership without Reboot/Logoff

After you add a computer or a user account to an Active Directory security group, the new access permissions or the new GPOs are not applied immediately. To update the group membership and apply the assigned permissions or Group Policies, you need to restart the computer or perform a logoff and logon (for the user). This is because AD group memberships are only updated when the Kerberos ticket is issued, which happens when the system boots or when a user is authenticated at logon.

Contents:
  • Update Computer Group Membership and Kerberos Ticket Without Reboot
  • Reload User Groups Membership without Logging Off

If you cannot immediately restart the computer or log off the user, you can update the account’s AD group membership by using the klist.exe tool. This utility allows you to reset and renew a computer’s or user’s Kerberos tickets.

Note. The method described in this article only works with network services that support Kerberos authentication. The services that only work with NTLM authentication still require logoff + logon of a user or Windows restart.

You can list the domain security groups that the current user is a member of with the command:

whoami /groups

or GPResult:

gpresult /r /scope user

gpresult: security groups membership

The list of groups the user is a member of is displayed in the “The user is a part of the following security groups” section.

Update Computer Group Membership and Kerberos Ticket Without Reboot

You can list the security groups that this computer is a member of with the command

gpresult /r /scope computer

The computer is a part of the following security groups

gpresult scope computer - list security groups membership

You can list cached Kerberos tickets received by the computer, as well as the date they were received and the time of the next renewal.

klist.exe -li 0x3e7

klist: view kerberos cached tickets

Note. 0x3e7 is a special identifier that points to a session of the local computer (Local System).

Now add the computer to the AD security group (using the ADUC snap-in or with PowerShell: Add-AdGroupMember -Identity grAVExclusionPC -Members wks-mns21$ )

To clear the computer’s Kerberos ticket cache and update the computer’s AD group membership, run the command (for Windows 7 and Windows Server 2008R2)

klist -lh 0 -li 0x3e7 purge

Or for Windows 11/10/8 and Windows Server 2022/2019/2016:

klist –li 0x3e7 purge

klist -lh 0 -li 0x3e7 purge

Deleting all tickets:
Ticket(s) purged!

Update the Group Policy settings using the gpupdate /force command. All Group Policies assigned to the AD group through Security Filtering will then be applied to the computer without a reboot.

You can use the command to check when a computer has received new Kerberos tickets:

klist -li 0x3e7 tgt

After running the command and updating the policies (you can update the policies with the gpupdate /force command), all Group Policies assigned to the AD group through Security Filtering will be applied to the computer.

If the LSA access restriction policy is configured in your domain (for example, the Debug Program policy restricting the use of SeDebugPrivilege), if you run the klist -li 0: 0x3e7 purge command, you can get an error: “Error calling API LsaCallAuthenticationPackage”:

Current LogonId is 0:0x3d2de2
Targeted LogonId is 0:0x3e7
*** You must run this tool while being elevated, and you must have TCB or be a local admin.***
klist failed with 0xc0000001/-1073741823: {Operation Failed}
The requested operation was unsuccessful.

klist 0x3e7 purge failed with 0xc0000001

In this case, you will need to run the command line on behalf of NT AUTHORITY\SYSTEM and purge your computer Kerberos ticket cache in that console:

psexec -s -i -d cmd.exe –run cmd on behalf of Local System using the psexec.exe tool

klist purge – reset computer ticket

gpupdate /force – update GPO

This method of updating computer group membership is the only working option for updating GPO settings on clients connecting to your network via VPN, where the user logs in using cached domain credentials.

Reload User Groups Membership without Logging Off

Another command is used to update the assigned Active Directory security groups in the user session. For example, you have added a user to a security group that grants access to a shared folder. The user won’t be able to access this network folder without logging off and on again.

share access denied

You must reset a user’s Kerberos ticket cache if you want to update the list of assigned security groups for that user. Open an unprivileged command prompt in a user session (do not run cmd in administrator mode). Run the command:

klist purge

Current LogonId is 0:0x5e3d69
Deleting all tickets:
Ticket(s) purged!

klist purge

In order to see the updated list of groups, you will need to open a new command prompt using runas (so that the new process will be created with the new security token).

List the user’s groups:

whoami /groups

In the Remote Desktop Services (RDS) environment you can reset Kerberos tickets for all remote user sessions at once by using the following PowerShell one-liner:

Get-WmiObject Win32_LogonSession | Where-Object {$_.AuthenticationPackage -ne 'NTLM'} | ForEach-Object {klist.exe purge -li ([Convert]::ToString($_.LogonId, 16))}

For the user to be able to connect to the shared network folder, you must restart the File Explorer shell with a new token. (with a new security group)

  1. Open the command prompt;
  2. End the current user’s File Explorer process: taskkill /f /im explorer.exe
  3. Start a new Explorer process using your account credentials. You can use the %USERDOMAIN%\%USERNAME% environment variables or specify the domain and user name manually. For example: runas /user:woshub\jsmith explorer.exe
  4. Enter your account password;restart explorer with runas user
  5. File Explorer will then restart with a new access token and you will be able to access the network folder with the permissions of the new security group.

In the previous method, you must explicitly specify the password of the user in order to refresh the security groups in Windows File Explorer. If this isn’t possible, you can try a workaround.

Suppose a user was added to an AD group to access a file server shared folder. Try to access it by its short name (NETBIOS) or FQDN((!!! this is important). For example, \\lon-fs1.woshub.loc\Install.   But not by IP address.

 Different CIFS tickets are used for short server name (NAME) and full server name ( FQDN). If you previously used FQDN to access the file server, after resetting the tickets on the client with the klist purge command, you will be able to access the file server using NAME (a new ticket with new security groups is issued the first time you access the SMB share). The old FQDN ticket is still in the File Explorer process and won’t be reset until it is restarted (as described above).

At this point, a new Kerberos ticket will be issued to the user. You can check if your TGT ticket has been updated:

klist tgt

(see Cached TGT Start Time value)

klist tgt renewed ticket

A shared folder that has been granted access through the AD security group should open without the user logging off.

Run the whoami /groups command to ensure that the user has received a new TGT with an updated list of security groups without re-login.

fqdn path share access

Once again, we would like to remind you that this method of updating security group membership will only work for services that support Kerberos. For services with NTLM authentication, a computer reboot or user logoff is required to update the token.

14 comments
22
Facebook Twitter Google + Pinterest
previous post
How to Fix ‘An Operating System Wasn’t Found’ Error on Windows
next post
How to Find Driver for Unknown Device in Windows

Related Reading

Installing Language Pack in Windows 10/11 with PowerShell

September 15, 2023

How to View and Change BIOS (UEFI) Settings...

September 13, 2023

How to Create UEFI Bootable USB Drive to...

September 11, 2023

Redirect HTTP to HTTPS in IIS (Windows Server)

September 7, 2023

Add an Additional Domain Controller to an Existing...

September 6, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Installing Language Pack in Windows 10/11 with PowerShell

    September 15, 2023
  • Configure Email Forwarding for Mailbox on Exchange Server/Microsoft 365

    September 14, 2023
  • How to View and Change BIOS (UEFI) Settings with PowerShell

    September 13, 2023
  • How to Create UEFI Bootable USB Drive to Install Windows

    September 11, 2023
  • Redirect HTTP to HTTPS in IIS (Windows Server)

    September 7, 2023
  • Add an Additional Domain Controller to an Existing AD Domain

    September 6, 2023
  • How to Install an SSL Certificate on IIS (Windows Server)

    September 5, 2023
  • Managing Windows Firewall Rules with PowerShell

    August 31, 2023
  • Fixing ‘The Network Path Was Not Found’ 0x80070035 Error Code on Windows

    August 30, 2023
  • Disable Welcome Message for Microsoft 365 Groups

    August 28, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Find the Source of Account Lockouts in Active Directory
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • How to Automatically Fill the Computer Description in Active Directory
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top