Update computer group membership without a reboot

Update computer group membership without a reboot

Very useful tip found on the internet : how to update a computer group membership without a reboot ?

Problem

If, like me, you use Group Policies and apply them on computer account using security groups, you notice these GPOs do not apply with a simple gpupdate /force

Basic solution

First solution to the problem explained above : reboot. This is due to the Kerberos workflow explained below.

This solution can be problematic on production servers.

The theory

There is another way to apply GPO linked to a computer account through security groups : playing with Kerberos
When a computer starts, it will contact a domain controller and will begin Kerberos communication to get a token. The KDC searches Active Directory for the computer account. It creates the PAC structure : this structure includes information such as direct and transitive group membership, and encodes it into the TGT.

The tip

To update the group membership of the computer, the solution is simple : first, purge the cached Kerberos tickets for the computer account and then instruct the Group Policy Client to refresh the policies. The Group Policy Client will then contact a domain controller. As the Kerberos cache is empty, the computer will have to deal with the domain controller to get a new Kerberos token. The provided token will have a new PAC structure with the computer group membership updated.

And now the commands

  • Purge the computer account kerberos tickets
    klist -lh 0 -li 0x3e7 purge
  • Force the gpo re-evaluation
    gpupdate /force

Source

5 thoughts on “Update computer group membership without a reboot

  • November 17, 2016 at 20:22
    Permalink

    I’ve not found the klist purge solution to effect the computer’s security group membership on Win10, Win 2008 R2, Win2012, on premise, Azure, or any other environment.

    The tickets do purge, but gpresult still doesn’t show that the computer is a member of the new security group.

    Reply
  • February 28, 2018 at 15:40
    Permalink

    Hi a question regarding the kerberos tickets, if left un purged how long does it take for it to refresh it self? and that way get the new groupmemberships?

    sincearly
    Fredrik Buchanan

    Reply
    • February 28, 2018 at 17:09
      Permalink

      Hello Fredrik,

      The computer object group membership is normally evaluated at the boot. There is no refresh. The only way I have found is to reset the Kerberos ticket linked to the computer object to force a kerberos ticket re-creation.
      Thank you

      Regards,
      Nico

      Reply
  • October 24, 2018 at 01:17
    Permalink

    I can confirm this works on Server 2012 R2. The list of computer group membership reported by running gpresult doesn’t seem to update , but it does respect the new membership by applying the expected group policies. For those having issues, you could also try restarting the group policy client service (require system account, e.g. psexec -s -i -d cmd).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Social Media Auto Publish Powered By : XYZScripts.com
%d bloggers like this: