In Windows systems (particularly Windows Server 2008R2 which I an using), sometimes when I add a local user to a local group, the user needs to log-off and log-on back again before this new group is registered to him.
But Sometimes as well, the group registration is done immediately.. without the user having to log-off and log-on back again..
why is this so?
Best Answer
You mention local users and groups, so setting aside Active Directory.
You should always need to re-authenticate in order for the user's security token to contain the new group membership. This typically means you need to re-login. LSASS only hands this token out when the user authenticates, which is usually only at logon but you can do something like
C:\> runas /user:Yourself cmd.exe
and that will prompt you for your password and you will go through authentication again and your new group membership will be picked up. (But I cannot guarantee that any other running applications that may have queried for your group memberships are going to refresh their data without restarting those applications, etc.)(Not mentioning
klist.exe
because we are only talking about local users and groups.)This article is pretty much the authority on the matter.