Very useful tip found on the internet : how to update a computer group membership without a reboot ?
Problem
If, like me, you use Group Policies and apply them on computer account using security groups, you notice these GPOs do not apply with a simple gpupdate /force
Basic solution
First solution to the problem explained above : reboot. This is due to the Kerberos workflow explained below.
This solution can be problematic on production servers.
The theory
There is another way to apply GPO linked to a computer account through security groups : playing with Kerberos
When a computer starts, it will contact a domain controller and will begin Kerberos communication to get a token. The KDC searches Active Directory for the computer account. It creates the PAC structure : this structure includes information such as direct and transitive group membership, and encodes it into the TGT.
The tip
To update the group membership of the computer, the solution is simple : first, purge the cached Kerberos tickets for the computer account and then instruct the Group Policy Client to refresh the policies. The Group Policy Client will then contact a domain controller. As the Kerberos cache is empty, the computer will have to deal with the domain controller to get a new Kerberos token. The provided token will have a new PAC structure with the computer group membership updated.
And now the commands
- Purge the computer account kerberos tickets
klist -lh 0 -li 0x3e7 purge
- Force the gpo re-evaluation
gpupdate /force
I’ve not found the klist purge solution to effect the computer’s security group membership on Win10, Win 2008 R2, Win2012, on premise, Azure, or any other environment.
The tickets do purge, but gpresult still doesn’t show that the computer is a member of the new security group.
Hi a question regarding the kerberos tickets, if left un purged how long does it take for it to refresh it self? and that way get the new groupmemberships?
sincearly
Fredrik Buchanan
Hello Fredrik,
The computer object group membership is normally evaluated at the boot. There is no refresh. The only way I have found is to reset the Kerberos ticket linked to the computer object to force a kerberos ticket re-creation.
Thank you
Regards,
Nico
I can confirm this works on Server 2012 R2. The list of computer group membership reported by running gpresult doesn’t seem to update , but it does respect the new membership by applying the expected group policies. For those having issues, you could also try restarting the group policy client service (require system account, e.g. psexec -s -i -d cmd).
Hello Tom. Thank you for your feedback and your tip.
2021 worked like a champ hope the other are using an administrator command prompt
Nice one , thanks Tom. Work great on Windows 2012. Perfect to force a GPO filtered by a group for WSUS without rebooting
magnificent post, very informative. I ponder why
the opposite experts of this sector do not notice this.
You must proceed your writing. I am confident, you have a huge readers’ base already!