Computer Group Membership Change Without Rebooting

I was working with a client this week where we had a need to create a special Group Policy Object for a pilot scenario. This GPO needed to be filtered to only apply if the computer was a member of an AD Security Group. We could add the machines into the group, but we needed to not be forced to reboot all of the machines in order for the group membership to be effective. After doing a bit of searching I found out how to do this…use the “klist” command. This is native to Windows 7 and Windows 8…and to Server 2008 and later. It is not included in Vista…and I’m not sure about Windows XP (but you should be looking at getting off of XP anyway!). The command to trigger this is:

klist –li 0x3e7 purge

Klist with the purge switch forces the computer to refresh the Kerberos tokens…which also effectively recognizes the group membership changes. The “0x3e7” is the part of the logon id that identifies the computer account (Local System).

April 18, 2013 - Posted by Jarvis | Active Directory, Group Policy, Windows 7, Windows 8

No comments yet.

	dakseven on Running a CMD prompt as System…
	d4rkcell on Unknown Computer Bug in Config…
	Malware Removal on Running a CMD prompt as System…
	Jarvis on SCCM Console Install and Updat…
	Tatsumi Morota on SCCM Console Install and Updat…
	Sccm Admin UK on Unknown Computer Bug in Config…
	Kristopher J. Turner on Sam Disaster #2
	Kristopher Turner on Image Build–Manual or Bu…
	Kristopher Turner on No–Windows 8 Does Not…
	MDT 2013 – Con… on Domain Join Account – Mi…
	Jarvis on Running a CMD prompt as System…
	Lorenzo on Running a CMD prompt as System…
	Mike on Unknown Computer Bug in Config…
	Alex on Running a CMD prompt as System…
	Run program as Local… on Running a CMD prompt as System…

The Realm of the Verbal Processor

Jarvis's Ramblings