Announcement

Collapse
No announcement yet.

Refresh group membership without user relogin

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Refresh group membership without user relogin

    I know that, if I add a user to security group, it takes max of 8 hours to refresh that group membership in user session, if the user doesn't relogin.

    To address one of my internal requirement, I have added users to a group in active directory which has apply permissions on a GPO. I tried running gpudapte /force from user session but it didn't apply the GPO because the user session is not aware of it's membership for new group I have added.

    Now my question : is there any way to refresh user group membership without the need for relogin.

    Thanks,

  • #2
    Re: Refresh group membership without user relogin

    Nope, not per default at least although I don't know any third party application which can do that.
    You need to re-login before group membership has been applied.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Refresh group membership without user relogin

      There is a trick. Get klist.exe from Resource Kit and do:
      klist purge
      (delete all user tickets)

      After that try to access some network resource using FQDN and make sure the TGT has been refreshed using:
      klist tgt

      This will trigger TGT refresh (as apposed to renew), resulting in a new TGT being issued to the user and PAC portion of it containing the updated group membership.

      After that do "gpupdate /force"
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment


      • #4
        Re: Refresh group membership without user relogin

        Thanks guyt.

        Is there any way to check if the group membership has updated or not after recreating kerb tickets? I used whoami command ..but it is not showing the group name I have added.

        Thanks,
        Sitaram

        Comment


        • #5
          Re: Refresh group membership without user relogin

          Never mind...!! I tested it with below procedure...

          * Created a share and gave permissions only to a security group(grp1). It is empty at this stage
          * Logged on a pc with usr1 and tried accessing the share. Got access denied error(obvious )
          * Now added usr1 user to to grp1 group and ran "klist purge" command
          * Again went to desktop and tried access the share..it worked this time(hurry )
          * Also did the reverse way and it worked...

          Thanks a ton for the help.

          Thanks,
          Sitaram

          Comment


          • #6
            Re: Refresh group membership without user relogin

            I didn't know that Guy.
            Thanks for the heads up
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Refresh group membership without user relogin

              Originally posted by charlsteve View Post
              Thanks guyt.

              Is there any way to check if the group membership has updated or not after recreating kerb tickets? I used whoami command ..but it is not showing the group name I have added.
              If you want to see the refreshed group membership, do:
              runas /user:domain\username cmd
              this will make sure the process has been created using updated security token

              As a sidenote: actually you do not have to relogin. By default user's TGT is renewed every 10 hours up untill 7 days. TGT renewal extends TGT validity, but does not create a new TGT (meaning that group membership is not updated). When you hit 7 days, TGT refresh is triggered and totally new TGT is issued (with updated group membership in the PAC).
              so if you wait a week, the group membership will get updated. Though I doubt you want to wait 7 days
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment


              • #8
                Re: Refresh group membership without user relogin

                Guy...though this is working in the scenario you specified, it is NOT working for GPOs. Also the output of whoami is not showing the groups I have added. I sure, whoami will not get this information from DC directly rather it depends on someother source.

                Any idea why GPO is exception here?

                Thanks,
                Sitaram

                Comment


                • #9
                  Re: Refresh group membership without user relogin

                  You did not mention the OS version - there were quite a few changes between the SPs, etc...
                  Yet, try the following:

                  1) Add user to a group used for GPO filtering
                  2) Start cmd and purge the TGT
                  3) trigger TGT refresh by accessing some network resource
                  4) make sure you recieved new TGT ("klist tgt" and inspect StartTime)
                  5) open a new cmd using "runas /user:domain\username cmd"
                  6) from the new CMD verify the group membership has been updated (whoami /groups) and run "gpupdate /force"
                  7) from the same new CMD run rsop.msc and check whether the new settings have been applied

                  Note: there are some settings that will require restarting explorer.exe or some other process as not all the settings are read on the fly - some policy settings are read when creating a process. What settings are you trying to apply ?
                  Guy Teverovsky
                  "Smith & Wesson - the original point and click interface"

                  Comment


                  • #10
                    Re: Refresh group membership without user relogin

                    Thanks Guy. I tried the steps you have given and it is working. Infact I tried them when updated about kerb tickets.

                    But my worry is, how to deploy these to all my users. Doing these many steps for such a large croud is very difficult. Do you suggest any automated way?

                    I have internal tools which can trigger commands on remote workstations when they come alive. I thought worth mentioning this as you may suggest a better automation by considering this.

                    Thanks,
                    Sitaram

                    Comment


                    • #11
                      Re: Refresh group membership without user relogin

                      I suggest to logoff/logon
                      The trick I mentioned is not scalable and should not be automated. It also does not promise consistency of GPO application. i.e.: you need to restart explorer to get GPO settings that apply to it.

                      What is so urgent that you are trying to deploy ?
                      Guy Teverovsky
                      "Smith & Wesson - the original point and click interface"

                      Comment


                      • #12
                        Re: Refresh group membership without user relogin

                        Originally posted by guyt View Post
                        I suggest to logoff/logon
                        The trick I mentioned is not scalable and should not be automated. It also does not promise consistency of GPO application. i.e.: you need to restart explorer to get GPO settings that apply to it.

                        What is so urgent that you are trying to deploy ?
                        Probably dealing with a "higher-up" user that cannot be bothered to close down their 45 open windows when granted some new access.

                        We have a "few" of those guys laying around .

                        Comment


                        • #13
                          Re: Refresh group membership without user relogin

                          >What is so urgent that you are trying to deploy ?

                          Let me explain you, Guy.

                          I am trying to deploy a new user policy to remote users who login from their home PC and connect to office using software VPN. I am just giving the steps they do daily.

                          * Logon to home pc with cached domain credentials
                          * Connect to office network using software VPN
                          * Do their work for one or two hours
                          * Disconnect from VPN.

                          Their cached group membership will not get updated during their login because, at that time they will not be having any connection to office networ to reach a DC. There is a very less guarentee that their group membership will get updated during their one or two work hours(we can not guarentee the kerb refresh during this time).

                          Because of the above reason I want to force the group membership on remote computers to make my policy apply.

                          Thanks,
                          Sitaram

                          Comment


                          • #14
                            Re: Refresh group membership without user relogin

                            7 days after the clients got TGT, upon connecting via VPN, their TGT will be refreshed and group membership will get updated. Eventually the new GPO settings will apply.

                            The method I pointed to is unsupported for forcing new GPO settings.
                            Guy Teverovsky
                            "Smith & Wesson - the original point and click interface"

                            Comment


                            • #15
                              Re: Refresh group membership without user relogin

                              Thanks Guy. I realized the time involved in clients syncing group member, and used existing groups to deploy the GPOs for now.

                              May be M$ should provide this kind of facility in it's future OS realease to make clients like me happy . Of course, many people are looking for this kind of facility.

                              Thanks,
                              Sitaram

                              Comment

                              Working...
                              X