19

I am using Windows Server 2008 R2 and have a windows service running under "network service" account in computer ComputerA. This windows service want to access a share folde (on another computer ComputerB) which grant read permission to a group GroupA. So I need to add the the computer account of ComputerA to the GroupA and restart the ComputerA.

My question is: is there a way to let the group membership immedialy take effect without restarting the ComputerA?

Ben Pilbrow
  • 11,995
  • 5
  • 35
  • 57
pkuneal
  • 191
  • 1
  • 1
  • 4

3 Answers3

28
For Windows 2008 and higher:

psexec -s -i -d cmd.exe

C:\Windows\system32>whoami
nt authority\system

-- List the session 0 tickets (0x3e7 is the machine session 0)
klist -lh 0 -li 0x3e7  

-- Purge the session 0 tickets  
klist -lh 0 -li 0x3e7 purge  

Should display:  

Current LogonId is 0:0x3e7  
        Deleting all tickets:  
        Ticket(s) purged!

PSExec is a free SysInternals download from Microsoft.

To clear up any confusion, this process absolutely will refresh the group memberships of a computer, and allow a group policy that applies to a security group to now apply to the computer, without rebooting the computer. This has been tested and verified on Windows Server 2012 R2 and Windows Server 2008 R2 and a universal security group. The short version would be:

  • psexec -s -i -d cmd.exe
  • klist tgt (view the current ticket, make note of the size. Also note that since you are running as system, the Current Logon Id is 0x3e7)
  • Add the computer to the security group. (Allow time to replicate, if applicable)
  • klist purge
  • nltest /dsgetdc:domain.com (run this or any other command that will connect to a network resource and force a TGT request)
  • klist tgt (view the current ticket, make note of the size. It should be slightly larger. Note that whoami /groups will not reflect the new membership)

At this point, it the system command prompt may be exited.

  • gpupdate /force
  • gpresult /h gpresult.html

View the gpreport, it should now show the group policy is applied.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • I can confirm this just worked on Server 2012 R2 and Server 2016 – KellCOMnet Sep 04 '17 at 16:39
  • Not working for me on Windows Server 2012 R2 (for both the member server, DCs, domain and forest functional level): I can purge the Kerberos tickets, but never got the new group (neither the `klist tgt` size changes, or `whoami /groups` reflects the new group). I've checked the change on the group is replicated through all the DCs. – curropar Oct 22 '19 at 09:12
  • Well, as per https://www.shellandco.net/blog/2016/07/07/update-computer-membership-without-reboot/#comment-8829, I've found none of those checks do reflect the new membership, but it's actually applied. This is true for my case: I can now execute the action depending on the new group, thanks!! – curropar Oct 22 '19 at 09:30
2

I think restaring the netlogon service does the same thing, not sure what the overall impact would be. Pretty sure that users would be temporarily disconnect users though.

tony roth
  • 3,844
  • 17
  • 14
-1

On my domain only works this for a network drive:

@echo off
net use M: /d /y
gpupdate /force
net use M: \\10.11.12.233\Archivos /persistent:Yes
explorer.exe M:
Diego Sebastian
  • 1