Let’s say that you have a GPO that is scoped to a specific security group. If you add a computer to this security group, you would normally need to restart in order for the computer to see that it is now a member of this group. To bypass this, you can delete the system’s Kerberos ticket and run GPUpdate. The computer will magically see its new group membership without a restart.
To do this, run the following from an elevated command prompt:
klist -li 0x3e7 purge
The system account on every computer (no matter the OS) has the same low part of the locally unique identifier (LUID). In the command above, that input is 0x3E7. To run this command remotely, you can use something like the Right Click Tools in SCCM or PSExec. After running the command above, be sure to start a gpupdate.
And on a completely unrelated note – I recently helped an organization after they had a complete AD meltdown. Unfortunately, they had did not have a DR plan in place. If you haven’t, spend a few hours this week and create/review your plan. Ensure you have backups and that you follow Microsoft’s best practices. If you don’t know where to start, see this link or contact me.