Security Group membership changes require a reboot before a computer can apply them. This prevents any newly filtered and scoped GPOs from applying as well. A past article showed how to use the built-in Klist tool to refresh the machine ticket and avoid that reboot.
But what if you need to KList Purge a bunch of computers? The script, below, will purge/refresh the system ticket and run a GPUpdate on all computers in a security group.
You could string together the psexec commands into a single line or call the commands as a batch file to make it more efficient. For simplicity of sharing, I left it as two separate commands.
Enjoy!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
Write-Host "This script will refresh the system token and gpupdate all computers in a group." $GroupName = Read-Host "What is the group name?" $ADGroup = get-adgroup -Identity $GroupName if ($? -eq $true){ $Computers = Get-ADGroupMember -identity "$GroupName" -Recursive | Where ObjectClass -eq computer Write-Host $GroupName contains $Computers.Count devices. Press enter to refresh the token and gpupdate this group. pause foreach ($Computer in $Computers){ $ComputerName = $Computer.Name write-host $ComputerName &psexec.exe \\$ComputerName -accepteula -d -h -s -n 2 "c:\windows\System32\klist.exe" -li 0x3e7 purge &psexec.exe \\$ComputerName -accepteula -d -h -s -n 2 "c:\windows\System32\gpupdate.exe" } } |