Is there a way to refresh computer group membership without rebooting?

windows groups active-directory

I am using Windows Server 2008 R2 and have a windows service running under "network service" account in computer ComputerA. This windows service want to access a share folde (on another computer ComputerB) which grant read permission to a group GroupA. So I need to add the the computer account of ComputerA to the GroupA and restart the ComputerA.

My question is: is there a way to let the group membership immedialy take effect without restarting the ComputerA?


Solution 1:

For Windows 2008 and higher:

psexec -s -i -d cmd.exe

C:\Windows\system32>whoami
nt authority\system

-- List the session 0 tickets (0x3e7 is the machine session 0)
klist -lh 0 -li 0x3e7  

-- Purge the session 0 tickets  
klist -lh 0 -li 0x3e7 purge  

Should display:  

Current LogonId is 0:0x3e7  
        Deleting all tickets:  
        Ticket(s) purged!

PSExec is a free SysInternals download from Microsoft.

To clear up any confusion, this process absolutely will refresh the group memberships of a computer, and allow a group policy that applies to a security group to now apply to the computer, without rebooting the computer. This has been tested and verified on Windows Server 2012 R2 and Windows Server 2008 R2 and a universal security group. The short version would be:

  • psexec -s -i -d cmd.exe
  • klist tgt (view the current ticket, make note of the size. Also note that since you are running as system, the Current Logon Id is 0x3e7)
  • Add the computer to the security group. (Allow time to replicate, if applicable)
  • klist purge
  • nltest /dsgetdc:domain.com (run this or any other command that will connect to a network resource and force a TGT request)
  • klist tgt (view the current ticket, make note of the size. It should be slightly larger. Note that whoami /groups will not reflect the new membership)

At this point, it the system command prompt may be exited.

  • gpupdate /force
  • gpresult /h gpresult.html

View the gpreport, it should now show the group policy is applied.

Solution 2:

I think restaring the netlogon service does the same thing, not sure what the overall impact would be. Pretty sure that users would be temporarily disconnect users though.

Related

Redirect Windows cmd stdout and stderr to a single file
How do I store an array in localStorage? [duplicate]
Sorting 1 million 8-decimal-digit numbers with 1 MB of RAM
How should I unit test multithreaded code?
Is it possible to move/rename files in Git and maintain their history?
How do I push amended commit to the remote Git repository?
Execute a command line binary with Node.js
Text-align class for inside a table
Why is [] faster than list()?
What does -> mean in Python function definitions?
How do you handle multiple submit buttons in ASP.NET MVC Framework?
Eliminate extra separators below UITableView