I'd like to see if there is a way to update a users machines group membership without having to restart the computer, and without having their login information. Ideally looking for something I can execute remotely with a script. I've found different ways to refresh the group membership, but most need the login information of the user, or direct access to the machine. We're trying to find a way that allows as little disruption to the user as possible. Thanks!
active-directory – How to Update Group Membership Remotely
active-directorygroup-policy
Best Answer
Restart is not necessary, but a logoff-logon cycle is needed to refresh NTLM authentication. While it's possible e.g. to force logoff after 5 minutes using
shutdown /l /f /t 300
, the/l
for logoff is not available remotely with/m \\target
.Additionally, Kerberos authentication tickets can be reset with
klist.exe
since Windows 7. As you were looking for a solution that resets all Kerberos tickets, you need to use the special identifier:There is a script for Purging the Kerberos ticket cache via klist on a remote machine. You could either use it as is or adopt the methods described: