32

I am writing a web application that uses .NET Windows Authentication and relies on a user's group membership to Authorize them to various areas of the website. Right now I'm on a dev machine that IS NOT part of a domain and is not using AD, instead I'm just using local user groups. In general this is working fine as is.

However, as I test the application I need to add and remove roles in my user account to verify things are working. When I add a role it doesn't seem to propagate until I log out of Windows and login again.

Is it possible to force an update to Group membership without having to log off?

kingdango
  • 511
  • 1
  • 6
  • 11
  • 3
    Do you mean log off the station, or the website? – Dan Nov 30 '11 at 15:25
  • Good point, I updated my question to clarify. I have to log off of my Windows user account (log out of windows) and log in again. – kingdango Nov 30 '11 at 15:29
  • It does force system updates to group memberships. After you run the command task kill explorer again, then run explorer normally. you will have then new security token in your new explorer instance too. –  Dec 22 '15 at 17:55

5 Answers5

29
taskkill.exe /F /IM explorer.exe
runas /user:%USERDOMAIN%\%USERNAME% explorer.exe

This will kill explorer, then reopen with your user account... It will prompt you for your password and that will get you a new token, thereby updating your membership.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Matt Brown
  • 306
  • 3
  • 2
  • 2
    This does seem to work, but I found that any mapped drive connections get broken. – SomeGuy May 15 '18 at 13:48
  • 2
    doesn't work for me in Windows 10 Pro – Dave Cousineau Jun 29 '18 at 23:05
  • See also: http://woshub.com/how-to-refresh-ad-groups-membership-without-user-logoff/. For computer `klist -lh 0 -li 0x3e7 purge`, for user `klist purge`. NB: I've not tried those commands myself; just repeating info from the linked article. – JohnLBevan Jul 05 '18 at 09:10
  • This works but not entirely. `whoami /groups` seems to require a full re-sign-in. Also, `klist purge` didn't work for me. At least, with the local security group `Administrators`. – mythofechelon Feb 19 '20 at 11:21
10

This is difficult to perform on a system-wide scale, but possible with individual executable files by killing their process and relaunching them under the user's credentials.

When you log on, you receive a token reflecting your group membership, among other things. The only way to refresh this token is to log in.

Community
  • 1
MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • If this is the case that's a bummer, it's going to hamper my testing a bit. Thanks for the insight... I'm hoping another user has a better answer but I'm guessing by your 15k+ rep you know what you're talking about. – kingdango Nov 30 '11 at 15:32
  • 2
    @kingdango you could always use `runas` to run the process as a different user than your own and manipulate the group membership of that test user. Every time you close and relaunch the process using `runas` it should create a new session, which *should* reflect the changed group membership. I haven't tested this, but in theory it should work this way. – MDMarra Nov 30 '11 at 15:34
  • That's tough because of my dev environment but it's worth exploring. Thanks for the quick and thoughtful response Mark. – kingdango Nov 30 '11 at 15:35
5

I had a similar situation of a website that relied on a user's membership in AD to allow login to the website. One thing to consider doing is having the web server do the authentication/query to the AD server with their supplied credentials; if the web server has access to AD and just queries the server for whether the user is in group XYZ, they'll get a list right from AD, not from the login token of the user which does require logon/logoff to get a new token with proper privileges.

I know your dev machine right now from the description doesn't have that access but it sounded like you mean when you deploy it you need this functionality.

If you rely on the token, you'll have to log off and back in.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • Thank you for the thoughtful response. That is one good way to get at the problem. In normal situations I'm more than happy waiting until the user receives updated access control, even if it means they need to log off and log in to their machine again. It's only the test scenario where this can be a burden but it's really not that big of a deal. Honestly, it's taken me more time to research a shortcut. :-) – kingdango Nov 30 '11 at 15:44
  • 2
    It can come in handy, too, depending on the scenario. If the server is querying the DC directly, that means that changes "migrate" almost immediately, so if someone is getting access cut off or added it doesn't take a client logon/logout cycle. It makes it a little easier for their IT staff. – Bart Silverstrim Nov 30 '11 at 15:50
  • @BartSilverstrim I agree. If AD is a part of managing your Website's Roles and Permissions, then you should integrate a call to LDAP to read in their creds upon each login. Then, when their AD is updated, they simply log out and back into the website to pick up the changes. Aside from the inconvenience of rebooting every time you are added to a new group, I find the reboot-workaround to be ill-conceived, unprofessional, and a poor user-experience all around. No one should have to reboot their machine in order to access a web page. I lose at least 40 minutes of productivity on every reboot. – MikeTeeVee Jun 30 '20 at 21:37
4

There is a scripted way of doing this completely through the command line; you can use klist. 

klist purge
Nixphoe
  • 4,524
  • 7
  • 32
  • 51
  • `Purging tickets destroys all tickets that you have cached, so use this attribute with caution. It might stop you from being able to authenticate to resources. If this happens, you will have to log off and log on again.` Does `[Purge](https://technet.microsoft.com/en-us/library/hh134826.aspx?f=255&MSPPError=-2147217396)` regrab the tokens though? or does it just throw away the existing ones leaving you with nothing? If you have no tokens does relaunching explorer (or whatever process needs a token) regrab them automatically? – Brad Dec 22 '15 at 21:08
  • It will regenerate the token when you request new resources. I've used this quite frequently when trying to update security groups for remote user and workstation when adding group membership to their AD objects. – Nixphoe Dec 22 '15 at 21:52
  • oh nice (and blast I messed up the formatting in that comment....you get the idea) – Brad Dec 22 '15 at 21:56
-2
  • Open Task Manager
  • Kill Explorer.exe (each one)
  • Click File > New Task (Run...)
  • Type in CMD
  • In the command prompt type "RunAs /user:\ explorer.exe

Done.

flip66
  • 101
  • 1
  • 2
    No, wrong. Please read the question. – HopelessN00b Sep 27 '12 at 04:39
  • 4
    @HopelessN00b This sure looks like it's basically what become the accepted answer. – Brad Dec 21 '15 at 17:54
  • 1
    @Brad Which has nothing to do with whether it's right or wrong. MDMarra's right (as is Bart), this (and the accepted answer) are wrong. This process does not force the system to update group memberships. – HopelessN00b Dec 22 '15 at 17:15
  • 1
    @HopelessN00b you're right, as I found out later in the day. Reboot was the only way to refresh memberships. Both answers are wrong, sadly. – Brad Dec 22 '15 at 17:33
  • 2
    Log off and back in should do the trick, no need to reboot. Group memberships are applied at login. – Charlie Wilson Dec 22 '15 at 18:53