Thursday, 19 July 2012

Refreshing Group Membership Without Logging Off and On Again

I haven't done much investigation into what limitations there are with this (for instance, does group policy filtered to a an added security group take effect), but klist allows you to get a new kerberos ticket, with any new access rights added, without logging off and on again.

Run: klist purge - this will purge the existing kerberos ticket.
klist tgt - TGT refresh, should display the ticket.

The user can now access any resources secured by groups they have been added to since they last logged on.

Tools like whoami /groups will still not display the new group membership, but will if you create a new cmd window using runas since the process will be created using the updated security token.
It may be that by launching a new cmd in this way ansd then running gpupdate, that this will also allow group policies targeted to any new groups to also take effect.

TGT Refresh v TGT renewal
Using klist in this way refreshes the TGT, and new group memberships are added.
A TGT is renewed by default every 10 hours, but this will not add the new group memberships as it only extends the old TGT's validity. After 7 days, TGT refresh happens and the new memberships will be added.

No comments:

Post a Comment