At TEC I had a conversation with someone asking me how they could flush the Kerberos tickets of a computer account without rebooting. In the past they used some trick which launched a task in the Local System context and executed “klist –purge” but that didn’t seem to work no longer for 2008 (R2?).
There is actually something which is much easier: you can execute “klist –li 0x3e7” to target the logon session of the computer account.
And if you want to purge them, just execute “klist –li 0x3e7 purge”.
This will work on any system, client or server, regardless the OS version. The 0x3e7 is an identifier which always points to the computer account logon session. Using logonsessions.exe from the Sysinternals tools, you can actually try to find out id’s for other active sessions. You could use this to get the session id of a service account, and then retrieve it’s current Kerberos tickets. Cool eh! Besides using logonsessions.exe, you can also try to find these IDs in the security event log.
Flushing the Kerberos tickets of a computer can be useful if you want to force the computer having the latest group membership in its token. This way your newly configured GPO’s (with security filtering based on a group) will be applied immediately (after running gpupdate).
7 Response to Updating a server’s security group membership without rebooting
Cool, Cheers for this.
Nice, I just realized the power of using logonsessions.exe and and klist to view the kerberos tickets for other accounts.
SYNERGIX AD Client Extensions ( http://www.synergix.com ) will update the computer and user kerberos tickets dynamically, when security group membership is updated. Comes in handy as you don't have to ask the user to do anything.
how do you verify group membership after following these steps? Will gpresult /r do it?
Hi All,
here is our situation we have Windows Server 2008 Standard OS (64 bit) and logged in as an administrator and we have installed a windows service service with another account which belongs to Administrator group.
So OS is running under and administrator group and the windows service running on a different user which is in administrator group.
Shortly what this windows service does is using Crystal Reports template and sening to a network printer. During this process we get the error message "Invalid Printer Spcecified". When we remove the template
just try to send it to the printer, this time we get error message "invalid handle". When we reboot/restart the server, it work both ways however we want to be successfully without rebooting/restarting the server.
Note: the printer driver is OK.
Shortly is there any way to accomplish without rebooting the server. We used some tools like PSEXEC but did not help.
Remember if we reboot everything ok .
Thanks and regards,
Selami Ozlu
selamiozlu@hotmail.com
to "HeyAdmin". I'm not really sure if the gpresult /r will just query AD or check your "logon token". A possible alternative might be "whoami /groups". But typically I just re-test what failed before and where adding the account to the group was the solution for ;)
Thanks!
Add Your Comment