2

We've recently started going through shares replacing named permissions with AD groups (i.e. so that when updating permissions we don't need to worry about the time taken or risks involved in updating all child objects when working with shares hosting large numbers of files).

When changing one of these shares the new permissions took effect, but one of the servers (its computer account being a member of the AD Group) received a number of access denied errors. This seems to be because the server account's group memberships were cached (i.e. When does a computer cache file permissions?).

This issue was resolved by a restart.

Question: Is there any way to force an account (computer or user) to re-authenticate without them having to log out & back in / restart? i.e. so that when such issues occur we can do a refresh-authToken -computernameMyServer$`` call of some sort without requiring downtime.

Community
  • 1
JohnLBevan
  • 1,214
  • 7
  • 22
  • 46
  • 1
    Could delay removing the named permissions until users have re-authenticated and picked up the new group memberships in the normal course of work. – Brian Mar 25 '15 at 19:27
  • Agreed; that's my current tactic. I'm hoping for something that allows us to force a refresh though - i.e. so there's no question of "how long should I wait for this to happen", "has the server been restarted since that change 3 days ago", etc. - and also so I can be impatient and just fix things and move on. – JohnLBevan Mar 25 '15 at 20:14

0 Answers0