Update computer group membership without a reboot
Update computer group membership without a reboot

Very useful tip found on the internet : how to update a computer group membership without a reboot ?

Problem

If, like me, you use Group Policies and apply them on computer account using security groups, you notice these GPOs do not apply with a simple gpupdate /force

Basic solution

First solution to the problem explained above : reboot. This is due to the Kerberos workflow explained below.

This solution can be problematic on production servers.

The theory

There is another way to apply GPO linked to a computer account through security groups : playing with Kerberos
When a computer starts, it will contact a domain controller and will begin Kerberos communication to get a token. The KDC searches Active Directory for the computer account. It creates the PAC structure : this structure includes information such as direct and transitive group membership, and encodes it into the TGT.

The tip

To update the group membership of the computer, the solution is simple : first, purge the cached Kerberos tickets for the computer account and then instruct the Group Policy Client to refresh the policies. The Group Policy Client will then contact a domain controller. As the Kerberos cache is empty, the computer will have to deal with the domain controller to get a new Kerberos token. The provided token will have a new PAC structure with the computer group membership updated.

And now the commands

  • Purge the computer account kerberos tickets
    klist -lh 0 -li 0x3e7 purge
  • Force the gpo re-evaluation
    gpupdate /force

Source

Update computer group membership without a reboot

8 thoughts on “Update computer group membership without a reboot

  • November 17, 2016 at 8:22 pm
    Permalink

    I’ve not found the klist purge solution to effect the computer’s security group membership on Win10, Win 2008 R2, Win2012, on premise, Azure, or any other environment.

    The tickets do purge, but gpresult still doesn’t show that the computer is a member of the new security group.

    Reply
  • February 28, 2018 at 3:40 pm
    Permalink

    Hi a question regarding the kerberos tickets, if left un purged how long does it take for it to refresh it self? and that way get the new groupmemberships?

    sincearly
    Fredrik Buchanan

    Reply
    • February 28, 2018 at 5:09 pm
      Permalink

      Hello Fredrik,

      The computer object group membership is normally evaluated at the boot. There is no refresh. The only way I have found is to reset the Kerberos ticket linked to the computer object to force a kerberos ticket re-creation.
      Thank you

      Regards,
      Nico

      Reply
  • October 24, 2018 at 1:17 am
    Permalink

    I can confirm this works on Server 2012 R2. The list of computer group membership reported by running gpresult doesn’t seem to update , but it does respect the new membership by applying the expected group policies. For those having issues, you could also try restarting the group policy client service (require system account, e.g. psexec -s -i -d cmd).

    Reply
  • December 21, 2021 at 9:51 pm
    Permalink

    2021 worked like a champ hope the other are using an administrator command prompt

    Reply
  • January 14, 2022 at 4:02 pm
    Permalink

    Nice one , thanks Tom. Work great on Windows 2012. Perfect to force a GPO filtered by a group for WSUS without rebooting

    Reply
  • June 15, 2022 at 4:11 pm
    Permalink

    magnificent post, very informative. I ponder why
    the opposite experts of this sector do not notice this.
    You must proceed your writing. I am confident, you have a huge readers’ base already!

    Reply

Leave a Reply

Your email address will not be published.