The Realm of the Verbal Processor

Jarvis's Ramblings

Computer Group Membership Change Without Rebooting

I was working with a client this week where we had a need to create a special Group Policy Object for a pilot scenario. This GPO needed to be filtered to only apply if the computer was a member of an AD Security Group. We could add the machines into the group, but we needed to not be forced to reboot all of the machines in order for the group membership to be effective. After doing a bit of searching I found out how to do this…use the “klist” command. This is native to Windows 7 and Windows 8…and to Server 2008 and later. It is not included in Vista…and I’m not sure about Windows XP (but you should be looking at getting off of XP anyway!). The command to trigger this is:

klist –li 0x3e7 purge

Klist with the purge switch forces the computer to refresh the Kerberos tokens…which also effectively recognizes the group membership changes. The “0x3e7” is the part of the logon id that identifies the computer account (Local System).

Advertisements

April 18, 2013 - Posted by | Active Directory, Group Policy, Windows 7, Windows 8

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s