One of the irritating side effects of using Group Policy security group filtering on computers is that, if you change a computer’s group membership, you either had to reboot the computer or wait the default 7 days for the computer’s Kerberos ticket to expire before it picked up its new group membership. Recently however, there was a thread on the ActiveDir.org mailing list about this. Steve Linehan–resident AD smart guy at Microsoft–posted that in Server 2008, Microsoft added some switches to the klist.exe utility that you could use to force a refresh of the server’s tokens, and thus pick up group membership changes without a reboot. The command format for doing that is:
klist –li 0x3e7 purge
You have to run this command from an elevated prompt on Server 2008. Unfortunately, on Vista, klist is not included, though Steve mentioned that Vista has all the plumbing to support it. I tried the easy route–which was simply copying klist.exe from Server 2008 to Vista, but it failed with resource errors, so I suspect something else is missing.
Of course, this approach is all great but what about those Server 2003 boxes you have that you need to pick up group membership changes on, but that you can’t reboot. Well, thanks to a comment by Dean Wells on this thread, I did some experimenting and there is a way to do this on Server 2003 (and presumably XP as well)! First off, you need to get ahold of klist.exe from the Server 2003 Resource Kit Tools. Once you have that on your 2003 box, you need to fire up a command shell running as localSystem. The easiest way to do that is to simply use the AT.exe task scheduler command line to run a command shell. Because AT runs as localSystem, the resulting command shell that is opened up is also running as localSystem. So, for example, if right now its 15:30 and I want to open up my command shell at 15:31, I would type:
AT 15:31 /interactive cmd.exe
That means that in one minute, a command shell will appear on my server console running as localSystem. Once I’ve got that, I simply need to use the following syntax with klist:
When you do that, you will likely see a number of y/n prompts for each ticket. Simply say y to each one and once its done, the machine should now know about its new group membership. I tested this by setting a GPO to deny a particular computer group. I ran klist purge and then gpupdate /force and sure enough, the policy settings I had denied were removed!
Thanks to Dean Wells for this tip–its a great one!