6 comments

Updating a server’s security group membership without rebooting

Published on Friday, October 8, 2010 in ,

At TEC I had a conversation with someone asking me how they could flush the Kerberos tickets of a computer account without rebooting. In the past they used some trick which launched a task in the Local System context and executed “klist –purge” but that didn’t seem to work no longer for 2008 (R2?).

There is actually something which is much easier: you can execute “klist –li 0x3e7” to target the logon session of the computer account.

image

And if you want to purge them, just execute “klist –li 0x3e7 purge”.

image

This will work on any system, client or server, regardless the OS version. The 0x3e7 is an identifier which always points to the computer account logon session. Using logonsessions.exe from the Sysinternals tools, you can actually try to find out id’s for other active sessions. You could use this to get the session id of a service account, and then retrieve it’s current Kerberos tickets. Cool eh! Besides using logonsessions.exe, you can also try to find these IDs in the security event log.

Flushing the Kerberos tickets of a computer can be useful if you want to force the computer having the latest group membership in its token. This way your newly configured GPO’s (with security filtering based on a group) will be applied immediately (after running gpupdate).

Related Posts

6 Response to Updating a server’s security group membership without rebooting

21 March, 2012 01:56

Cool, Cheers for this.

18 May, 2012 23:40

Nice, I just realized the power of using logonsessions.exe and and klist to view the kerberos tickets for other accounts.

Anonymous
09 June, 2012 21:36

SYNERGIX AD Client Extensions ( http://www.synergix.com ) will update the computer and user kerberos tickets dynamically, when security group membership is updated. Comes in handy as you don't have to ask the user to do anything.

09 July, 2012 07:55

how do you verify group membership after following these steps? Will gpresult /r do it?

26 July, 2012 18:53

Hi All,
here is our situation we have Windows Server 2008 Standard OS (64 bit) and logged in as an administrator and we have installed a windows service service with another account which belongs to Administrator group.
So OS is running under and administrator group and the windows service running on a different user which is in administrator group.
Shortly what this windows service does is using Crystal Reports template and sening to a network printer. During this process we get the error message "Invalid Printer Spcecified". When we remove the template
just try to send it to the printer, this time we get error message "invalid handle". When we reboot/restart the server, it work both ways however we want to be successfully without rebooting/restarting the server.
Note: the printer driver is OK.
Shortly is there any way to accomplish without rebooting the server. We used some tools like PSEXEC but did not help.
Remember if we reboot everything ok .
Thanks and regards,
Selami Ozlu
selamiozlu@hotmail.com

02 September, 2012 17:21

to "HeyAdmin". I'm not really sure if the gpresult /r will just query AD or check your "logon token". A possible alternative might be "whoami /groups". But typically I just re-test what failed before and where adding the account to the group was the solution for ;)

Add Your Comment