1

When I was in lower tier support (and sometimes still), one of the most annoying sequences of events was a request for new file permissions >> add user to security group and specify in the reply "you must log out and back into your machine". 20 minutes later, "I'M STILL GETTING DENIED PERMISSION!!". Because you didn't log out and back in did you

Why don't Windows machines in an AD domain periodically query and update the user group membership like they do for group policies and many other things?

WakeDemons3
  • 185
  • 6

1 Answers1

3

The need to log out is due to AD group memberships only updating when a Kerberos ticket is created, which occurs during login.

You can refresh a computer's Kerberos ticket by running klist -li 0:0x3e7 purge on an elevated command line, followed by gpupdate /force if you need to update the group policy.

Referece: http://woshub.com/how-to-refresh-ad-groups-membership-without-user-logoff/

slightly_toasted
  • 804
  • 5
  • 14
  • I'm going to select this answer because it's literally true. But I more wanted the "why". Why doesn't the PC do this kerberos ticket purge and update as a background process just like with GPOs (every 90 minutes), or DNS lists, or NTP, etc. – WakeDemons3 Jul 08 '21 at 19:00
  • 2
    @WakeDemons3 I would assume it has to do with the tradeoff between using up resources (mostly CPU) to regenerate the Kerberos ticket, multiplied by all logged in accounts on the domain. Vs. Causing a slight inconvenience when a group membership change occurs. Also, due to Kerberos being stateless, it wouldn't be possible for the AD to trigger a ticket regeneration on account membership change. – slightly_toasted Jul 08 '21 at 19:30