Security Group membership changes require a reboot before a computer can apply them. This prevents any newly filtered and scoped GPOs from applying as well. A past article showed how to use the built-in Klist tool to refresh the machine ticket and avoid that reboot.
But what if you need to KList Purge a bunch of computers? The script, below, will purge/refresh the system ticket and run a GPUpdate on all computers in a security group.
You could string together the psexec commands into a single line or call the commands as a batch file to make it more efficient. For simplicity of sharing, I left it as two separate commands.
Enjoy!
Write-Host "This script will refresh the system token and gpupdate all computers in a group."
$GroupName = Read-Host "What is the group name?"
$ADGroup = get-adgroup -Identity $GroupName
if ($? -eq $true){
$Computers = Get-ADGroupMember -identity "$GroupName" -Recursive | Where ObjectClass -eq computer
Write-Host $GroupName contains $Computers.Count devices. Press enter to refresh the token and gpupdate this group.
pause
foreach ($Computer in $Computers){
$ComputerName = $Computer.Name
write-host $ComputerName
&psexec.exe \\$ComputerName -accepteula -d -h -s -n 2 "c:\windows\System32\klist.exe" -li 0x3e7 purge
&psexec.exe \\$ComputerName -accepteula -d -h -s -n 2 "c:\windows\System32\gpupdate.exe"
}
}