4

When adding a computer object to an AD group, at which point in time does the group membership become active? Is there some kind of kerberos refresh interval (similar to group policy refresh)?

I know it becomes active for sure when the computer reboots, also I am aware of the klist -lh 0 -li 0x3e7 purge trick.

Matthias Güntert
  • 2,358
  • 11
  • 38
  • 58

1 Answers1

5

When and only when a new access token is created. This does not occur when a TGT is refreshed at 10 hours. It also does not occur automatically when the ticket expires after 7 days. You have to actually get a brand new one. This is why you must either reboot or do the klist trick.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197