Very useful tip found on the internet : how to update a computer group membership without a reboot ?
If, like me, you use Group Policies and apply them on computer account using security groups, you notice these GPOs do not apply with a simple gpupdate /force
First solution to the problem explained above : reboot. This is due to the Kerberos workflow explained below.
This solution can be problematic on production servers.
There is another way to apply GPO linked to a computer account through security groups : playing with Kerberos
When a computer starts, it will contact a domain controller and will begin Kerberos communication to get a token. The KDC searches Active Directory for the computer account. It creates the PAC structure : this structure includes information such as direct and transitive group membership, and encodes it into the TGT.
To update the group membership of the computer, the solution is simple : first, purge the cached Kerberos tickets for the computer account and then instruct the Group Policy Client to refresh the policies. The Group Policy Client will then contact a domain controller. As the Kerberos cache is empty, the computer will have to deal with the domain controller to get a new Kerberos token. The provided token will have a new PAC structure with the computer group membership updated.
And now the commands
- Purge the computer account kerberos tickets
klist -lh 0 -li 0x3e7 purge
- Force the gpo re-evaluation