active-directory – How to Update Group Membership Remotely

active-directorygroup-policy

I'd like to see if there is a way to update a users machines group membership without having to restart the computer, and without having their login information. Ideally looking for something I can execute remotely with a script. I've found different ways to refresh the group membership, but most need the login information of the user, or direct access to the machine. We're trying to find a way that allows as little disruption to the user as possible. Thanks!

Best Answer

Restart is not necessary, but a logoff-logon cycle is needed to refresh NTLM authentication. While it's possible e.g. to force logoff after 5 minutes using shutdown /l /f /t 300, the /l for logoff is not available remotely with /m \\target.

Additionally, Kerberos authentication tickets can be reset with klist.exe since Windows 7. As you were looking for a solution that resets all Kerberos tickets, you need to use the special identifier:

klist -lh 0 -li 0x3e7 purge

There is a script for Purging the Kerberos ticket cache via klist on a remote machine. You could either use it as is or adopt the methods described:

The script uses Win32_ScheduledJob to schedule Klist. Klist queries the current tickets (klist -lh 0 -li 0x3e7 tickets) and purges them (klist -lh 0 -li 0x3e7 purge). Win32_Process is then used to create the process echo N | gpupdate /force /target:computer.

Related Solutions

Windows – way to refresh computer group membership without rebooting

For Windows 2008 and higher:

psexec -s -i -d cmd.exe

C:\Windows\system32>whoami
nt authority\system

-- List the session 0 tickets (0x3e7 is the machine session 0)
klist -lh 0 -li 0x3e7  

-- Purge the session 0 tickets  
klist -lh 0 -li 0x3e7 purge  

Should display:  

Current LogonId is 0:0x3e7  
        Deleting all tickets:  
        Ticket(s) purged!

PSExec is a free SysInternals download from Microsoft.

To clear up any confusion, this process absolutely will refresh the group memberships of a computer, and allow a group policy that applies to a security group to now apply to the computer, without rebooting the computer. This has been tested and verified on Windows Server 2012 R2 and Windows Server 2008 R2 and a universal security group. The short version would be:

psexec -s -i -d cmd.exe
klist tgt (view the current ticket, make note of the size. Also note that since you are running as system, the Current Logon Id is 0x3e7)
Add the computer to the security group. (Allow time to replicate, if applicable)
klist purge
nltest /dsgetdc:domain.com (run this or any other command that will connect to a network resource and force a TGT request)
klist tgt (view the current ticket, make note of the size. It should be slightly larger. Note that whoami /groups will not reflect the new membership)

At this point, it the system command prompt may be exited.

gpupdate /force
gpresult /h gpresult.html

View the gpreport, it should now show the group policy is applied.

Ldap – Restrict access to websites based on LDAP / Active Directory group membership

We do this with Barracuda Network's Web Filter, which can be integrated with Active Directory. You can also assign certain IP addresses specific permissions - it is easy enough to make sure the same computer always has the same IP address on your network via DHCP or plain old static configuration. We chose this because we liked the reporting it does, and we got a good deal.

There are plenty of competing web filter solutions, hardware, software, open source, and even cloud based Software as a Service solutions, that integrate with Active Directory - if they do that then they almost 100% do what you need.

Best Answer

Related Solutions

Windows – way to refresh computer group membership without rebooting

Ldap – Restrict access to websites based on LDAP / Active Directory group membership

Related Topic