HomeWorld Tech

How to Refresh AD Groups Membership without Reboot/Logoff

Like Tweet Pin it Share Email

All Windows administrators know that after adding a computer or user to an Active Directory security group, new rights for domain resources or new GPOs are not directly applied. To update your group membership and apply the rights or group policies assigned to you, you will need to restart your computer (if your computer account has been added to a domain group) or log out and log in again (for a user). Indeed, the AD group membership is updated when the Kerberos ticket is created at system startup or when the user authenticates at login.

In some cases, restarting the computer or disconnecting the user cannot be performed immediately for operational reasons. In the meantime, you must now use rights and access rights or apply a new group policy. In this case, you can update the Active Directory group membership without restarting the computer or retyping the user with the tool klist.exe.
The method described in this message only works for network services that support Kerberos authentication. NTLM services always require a logo + user login or a restart of Windows.

You can obtain a list of groups of which the current user is a member by using the following commands on the command line :

which groups

or GPR

Squall /r

The list of groups to which the user belongs is displayed under User belongs to the following security groups.

You can reset the current Kerberos tickets without restarting using the klist.exe tool. Klist is an integrated system tool, starting with Windows 7. For Windows XP/Windows Server 2003, the list is installed as part of the Windows Server 2003 Resource Kit tools.

How can I update my Kerberos ticket and renew my IT group membership without restarting?

To reset the entire Kerberos ticket cache on the computer (local system) and update the membership of the computer in the AD group, you must run the following command at the top-level command prompt :

clist -li 0:0x3e7 purification

List

Note. 0x3e7 is a special identifier that indicates a session on the local computer (local system).

After running the command and updating the policies (you can update the policies with the gpupdate /force command), each group policy assigned to the AD group is applied to the computer by security filtering. If you have configured LSA restriction policies in your domain (e.g. a debugging program policy restricting the use of SeDebugPrivilege) or other security policies, in some cases, when you execute the -li list 0 : 0x3e7 clearing command, you will receive an error such as LsaCallAuthenticationPackage API call error :

Current LogonId is 0:0x3d2de2
Target LogonId is 0:0x3e7
*** You must run this tool when you are lifting and you must have TCB or you must be a local administrator.***Clist
does not work with 0xc00001/-1073741823 :
The requested operation was unsuccessful. List 0x3e7 0x00000010x3e7 0x0000001

Use this command to update users’ Kerberos tickets:

Batch distance

The current Login ID is 0:0x5e3d69
Delete all tickets :
Ticket(s) removed!

To see the updated list of groups, you must run a new prompt with the runas (so that a new process is created with the new security mark). On the RDS server you can reset Kerberos tickets for all remote user sessions at once using the following one-line PowerShell:

Get-WmiObject Win32_LogonSession | Where-Object {$_.AuthenticationPackage -ne ‘NTLM’ } | ForEach-Object {klist.exe purge -li ([Convert]::ToString($_.LogonId, 16)))}.

Suppose a user is assigned to an AD group to access a shared folder. Try approaching it with his FQDN name. At this point, a new Kerberos ticket is issued to the user. You can check whether the TGT ticket has been updated:

tgt list

(See the TGT Cached Start Time value).

A public folder accessible to an AD group should be able to be opened without the user having to log out.

You can check if the user has received the new TGT with the updated security groups (without logging out) by using whoami /all.

Reminder: This method of updating the memberships of the security group only works for services that support Kerberos. Services that use NTLM authentication require a restart of the computer or the disconnection of the user to update the token.