Let’s say that you have a GPO that is scoped to a specific security group. If you add a computer to this security group, you would normally need to restart in order for the computer to see that it is now a member of this group. To bypass this, you can delete the system’s Kerberos ticket and run GPUpdate. The computer will magically see its new group membership without a restart.
To do this, run the following from an elevated command prompt:klist -li 0x3e7 purge
The system account on every computer (no matter the OS) has the same low part of the locally unique identifier (LUID). In the command above, that input is 0x3E7. To run this command remotely, you can use something like the Right Click Tools in SCCM or PSExec. After running the command above, be sure to start a gpupdate.
And on a completely unrelated note – I recently helped an organization after they had a complete AD meltdown. Unfortunately, they had did not have a DR plan in place. If you haven’t, spend a few hours this week and create/review your plan. Ensure you have backups and that you follow Microsoft’s best practices. If you don’t know where to start, see this link or contact me.
Joseph Moody,
Hi! And what about users added to an Active Directory group? What is LUID so we can avoid logging off and on?
I found this PowerShell script. It can get you the LUID of the logged on user:
gwmi Win32_LogonSession | % { $one = $_ ; $one.GetRelated(‘Win32_Account’) | Select Domain, Name, SID, @{ n = ‘LogonSessionHEX’ ; e = { ‘0x{0:X}’ -f ([int] $one.LogonId) } }, @{ n = ‘LogonSessionDEC’ ; e = { $one.LogonId } } , @{ n = ‘LogonType’ ; e = { $one.LogonType } } }
Source: https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=56
In this case I just use the “klist -li LUID purge” found, right?
Thanks a lot!
PS: Loved the adaxes blog! Are you thinking about using RSS? Wanted to know when a new article posted…
Correct!
And here is the RSS for the Adaxes site: http://www.adaxes.com/blog.rss
Thanks once again!
What an odd coincidence… Today I spotted that one of our servers wasn’t in the sec group that is scoped to the WSUS GPO. Off I went and added it and 15 mins later, scratching my head as to why it wasn’t applying the GPO!
Suddenly – an email comes in with this article! So, thanks again for your insightful posts!
Glad to help! Thanks for the comment!