Why sometimes is required to log off and log on back again adding a group to a user

security windows-server-2008-r2 uac

In Windows systems (particularly Windows Server 2008R2 which I an using), sometimes when I add a local user to a local group, the user needs to log-off and log-on back again before this new group is registered to him.

But Sometimes as well, the group registration is done immediately.. without the user having to log-off and log-on back again..

why is this so?


You mention local users and groups, so setting aside Active Directory.

You should always need to re-authenticate in order for the user's security token to contain the new group membership. This typically means you need to re-login. LSASS only hands this token out when the user authenticates, which is usually only at logon but you can do something like C:\> runas /user:Yourself cmd.exe and that will prompt you for your password and you will go through authentication again and your new group membership will be picked up. (But I cannot guarantee that any other running applications that may have queried for your group memberships are going to refresh their data without restarting those applications, etc.)

(Not mentioning klist.exe because we are only talking about local users and groups.)

This article is pretty much the authority on the matter.

When a user is authenticated, the Local Security Authority (LSA) creates an access token — in this case, a primary access token — for that user. An access token contains a security identifier (SID) for the user, all of the SIDs for the groups to which the user belongs, and the user’s privileges. If you add a user to a group after the user’s access token has been issued, or modify privileges assigned to the user account, the user must log off and then log on again before the access token will be updated.

Whenever a thread or process interacts with a securable object or tries to perform a system task that requires privileges, the operating system checks the effective access token to determine its level of authorization. If a thread is impersonating, the effective token is usually taken to be the token on the thread. If a thread interacting with the securable object is not impersonating, then the token on the process is examined for the access decision.

Thus, there are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation access tokens, on the other hand, are usually used for client/server scenarios. Impersonation tokens enable a thread to execute in a security context that differs from the security context of the process that owns the thread.

Related

error: Cannot find OpenSSL's <evp.h> centos 6.3 (install php) [closed]
How do server administrators like their server logs?
App needs elevated privileges to run - why?
Amazon AWS EC2 and RDS: How To Increase MySQL Query Cache?
What does this intention with lots of numbers mean in a SSL certificate?
Amazon RDS Instances: db.m1.large vs db.m3.large
How to identify EBS volumes vs local volumes on running EC2 instance
Conflicting information about the running kernel version in FreeBSD
locale-gen with purge does not work
ZFS on linux upgrade from 0.6.2 to 0.6.3 made my zpool unreadable help translate CentOS to Ubuntu commands
Advanced Audit Policy not getting applied on 2012 R2
Estimating distance between two servers by IP address