0

We run a Windows 2008 network (2008 DC level). There are many users who work only from home and connect to the network via VPN.

Recently group membership was changed for many of these users and the membership isn't making it to their machine. I need a way I can update their Kerberos ticket with their security groups. Normally this happens at login, though these users are not connected to the network at login and don't get the updates.

gpupdate /force doesn't update the local Kerberos ticket. Using gpresult /r is being used to review current security groups for the user.

How can I get these updates to these users?

Brettski
  • 942
  • 3
  • 20
  • 30
  • Have them connect to VPN before AD auth. Every VPN client I've used is able to be configured in this way. – EEAA Feb 02 '13 at 20:57
  • Sounds like a good solution which I can ask the VPN team about. Are there any other solutions since I have no control over the VPN configuration? – Brettski Feb 02 '13 at 21:04

1 Answers1

3

Try using a klist purge as login script, group policy scheduled task, etc. If run in the user context this should provide the response you want without changing the vpn setup.

I use a small script of a similar nature to refresh computer group memberships for deploying software without rebooting.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • Everyone at my workplace was like, "Nope, gotta log out at least." Simply running the `klist purge` worked like a charm, and is way more convenient than logging off in the middle of a workday! – bgStack15 Dec 17 '14 at 18:30