Refresh Membership In AD Security Groups Without Reboot Or Logoff

Toggle navigation 4sysops Refresh membership in AD security groups without reboot or logoff Home Blog Refresh membership in AD security groups without reboot or logoff

4sysops - The online community for sys and AI ops

Wolfgang Sommergut Wolfgang Sommergut  Thu, Apr 15 2021Fri, Jul 28 2023  windows server, active directory  6 If you add computers or users to a security group in Active Directory, there will be no immediate effect. The associated permissions only take effect after a user has logged on again or the computer has been rebooted. This can be avoided by renewing the Kerberos tickets. Read 4sysops without ads for freeContents
  1. Purging Kerberos tickets
  2. Updating memberships for users
  • Author
  • Recent Posts
Wolfgang Sommergut Wolfgang SommergutWolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de. Wolfgang Sommergut Latest posts by Wolfgang Sommergut (see all)
  • Assign recommended Windows security settings with the free Harden Windows Security app - Wed, Jun 11 2025
  • Activate Windows authentication with a PIN - Mon, Jun 2 2025
  • Hyper-V Quick Create: Deploy custom VM images - Mon, May 19 2025

If you make a server a member of an AD group, for example, to include it in the security filtering of a GPO or to grant it permissions to request a certificate, it simply may not be possible to restart it immediately afterwards. However, a reboot is usually necessary to update computer membership in AD groups.

Read 4sysops without ads for free

Purging Kerberos tickets

You can bypass the reboot by renewing the Kerberos ticket for the computer with klist.exe. If you run

klist.exe sessions | findstr /i %COMPUTERNAME%

on a command prompt, you will see that the so-called low part of the local computer's LogonID always has the value 0x3e7, while 0x3e4 belongs to the network service. The corresponding cached Kerberos tickets can be displayed with

klist.exe -li 0x3e7 The low part of the local computers LogonID always has the value 0x3e7

The low part of the local computers LogonID always has the value 0x3e7

After adding the computer account to a new security group in AD, you can remove them using the purge parameter:

klist.exe -li 0x3e7 purge Invoking klist.exe li 0x3e7 purge deletes the tickets for the computer account

Invoking klist.exe li 0x3e7 purge deletes the tickets for the computer account

Subsequently, by executing

gpupdate /force

you will get new tickets. If you run

klist.exe -li 0x3e7

again and compare the output with the earlier use of this command, you will see that the timestamps of the Kerberos tickets have changed.

Using Read 4sysops without ads for free

gpresult /r /scope computer

you can display the groups in which the local computer is a member. However, this command usually does not reflect changes after the ticket was renewed, regardless of whether the account was added to or removed from a group.

However, if you use an AD group for GPO security filtering, then the change has an immediate effect here and is also visible in the output of gpresult. The same applies to the permissions on other resources.

Server2022Preview has been added to the HR group which is not eligible for the WinRM GPO. gpresult does not show the HR group but the effect on filtering.

Server2022Preview has been added to the HR group which is not eligible for the WinRM GPO. gpresult does not show the HR group but the effect on filtering.

Updating memberships for users

While servers often cannot be restarted just to update membership in AD groups, it is usually not a major problem for users to log off and on again to gain access to certain resources by changing group memberships.

However, if you want to avoid a logoff, klist.exe can help here as well. In this case, after the user account has been added to a new group, execute Read 4sysops without ads for free

klist purge

on a command line without elevated privileges. The program prints the LogonID of the current user and confirms that the Kerberos tickets for this user have been deleted. To get new ones, you can start another instance of cmd.exe using runas.

After the klist purge a new instance of cmd.exe shows the membership of the user in the group HR

After the klist purge a new instance of cmd.exe shows the membership of the user in the group HR

If you run

whoami /groups

there, then the change in the group memberships should already be noticeable. Accordingly, the user should also be able to access a network share, for example via the FQDN of the server, which he was denied before he was added to the new AD group.

It is obvious that the described solution works only for services that support Kerberos. With NTLM authentication, there is no way around rebooting or logging out.

6 Comments avataravataravatar Read 4sysops without ads for free

Join our IT community and read articles without ads!

Related Articles
  • Syncjacking exploiting synchronization for account takeover+

    Blocking user SyncJacking (account hijacking) in Microsoft Entra Connect

    IT Experts IT Experts  Tue, Jan 27 2026Tue, Jan 27 2026  active directory, security, entra  0
  • Microsoft Entra PowerShell v1.2.0 brings Agent Identity Blueprint management+

    Microsoft Entra PowerShell v1.2.0 brings Agent Identity Blueprint management and new automation features

    IT Experts IT Experts  Wed, Jan 21 2026Wed, Jan 21 2026  powershell, active directory, AI, AI agents, entra  0
  • Prevent Kerberoasting in Active Directory+

    Disable weak RC4 encryption on Active Directory domain controllers to prevent Kerberoasting attacks exploiting Kerberos vulnerability CVE-2026-20833

    IT Experts IT Experts  Tue, Jan 20 2026Tue, Jan 20 2026  encryption, active directory, security  0
  • Using Face ID (Face Check) with Microsoft Entra Verified ID on iPhone (image Microsoft)+

    Syncing passkeys with Microsoft Entra ID

    IT Experts IT Experts  Wed, Dec 31 2025Wed, Dec 31 2025  password, active directory, security, entra, passkey  0
  • Failover Cluster Manager displaying healthy S2D virtual disks and storage pool details (image Microsoft)+

    S2D and SAN coexistence in Windows Server failover clustering for Hyper‑V, SQL Server, and file services

    IT Experts IT Experts  Mon, Dec 29 2025Mon, Dec 29 2025  virtualization, windows server, hyper‑v, storage, windows, windows server 2025  0
  • Refused to load the script the blocking of an unauthorized script is displayed in the browser console (image microsoft)+

    Microsoft to block unauthorized scripts in Entra ID logins with 2026 CSP update

    IT Experts IT Experts  Thu, Dec 18 2025Thu, Dec 18 2025  active directory, security, identity, entra  0
  • IOPS with and without NVMe (image Microsoft)+

    Windows Server 2025 introduces native NVMe support with performance gains of up to 80 percent

    IT Experts IT Experts  Wed, Dec 17 2025Wed, Dec 17 2025  performance, windows server, storage, windows, windows server 2025  0
  • New UserLock interface+

    UserLock 13.0: IAM for Active Directory with granular MFA, contextual access controls, and real-time session management

    IT Experts IT Experts  Tue, Dec 16 2025Thu, Dec 18 2025  authentication, active directory, security, windows  0
  • Microsoft Agent ID (image Microsoft)+

    New features in Microsoft Entra: WebView2, AI Agents ID, synced passkeys

    IT Experts IT Experts  Mon, Dec 15 2025Mon, Dec 15 2025  active directory, cloud computing, azure, identity, entra  0
  • Enable self-service password reset in the Microsoft Entra admin center+

    Self-service password reset with SMS in Microsoft Entra External ID

    IT Experts IT Experts  Mon, Dec 15 2025Mon, Dec 15 2025  password, active directory, security, entra  0
  • Configuring wins in windows 11+

    Microsoft removes WINS after Windows Server 2025

    IT Experts IT Experts  Thu, Nov 27 2025Thu, Nov 27 2025  networking, active directory, security, dns  0
  • Log Enhanced Domain-wide NTLM Logs+

    New Windows 11 25H2 Group Policy settings

    IT Experts IT Experts  Thu, Nov 13 2025Mon, Dec 8 2025  group policy, active directory, windows, windows 11  0
  • Windows Server Update Services (WSUS)+

    Windows Server 2025 WSUS blocks ESU updates

    IT Experts IT Experts  Fri, Oct 17 2025Mon, Nov 10 2025  patch management, wsus, windows server, security, windows, windows server 2025  0
  • WSL on Windows Server 2025+

    Install Linux Subsystem for Windows (WSL) on Windows Server 2025

    Markus Elsberger Markus Elsberger  Wed, Oct 15 2025Wed, Oct 15 2025  linux, windows server, windows, windows server 2025, wsl  3
  • Time to exchange Exchange+

    AD replication error 8418: The replication operation failed because of a schema mismatch between the servers involved

    IT Experts IT Experts  Mon, Oct 13 2025Mon, Oct 13 2025  exchange, windows server, active directory, windows, windows server 2025  0
  • The logon attempt failed+

    Remote Desktop credential delegation (SSO) not working after enabling Credential Guard

    Leos Marek Leos Marek  Thu, Oct 9 2025Fri, Oct 10 2025  windows server, security, remote desktop services, windows  0
  • Microsoft Secure Score (image Microsoft)+

    Understanding the interaction between Microsoft Defender for Identity and Secure Score

    IT Experts IT Experts  Tue, Oct 7 2025Tue, Oct 7 2025  active directory, security, cloud computing, azure  0
  • Group Policy setting for the Startup boost feature+

    New Administrative Templates (ADMX/ADML) for Windows, Outlook, Word, Excel, and OneNote

    IT Experts IT Experts  Wed, Sep 24 2025Wed, Sep 24 2025  office, group policy, active directory  0
  • Port and driver cleanup with PowerShell+

    Migrate a Print Server to Windows Server 2025

    Leos Marek Leos Marek  Wed, Sep 17 2025Fri, Nov 14 2025  windows server, windows, windows server 2025  0
  • Viewing Active Directory domain controller details+

    MPA Tools: Enhancing Microsoft endpoint management for Windows, Active Directory, Configuration Manager, Intune, and Entra ID

    Brandon Lee Brandon Lee  Thu, Sep 4 2025Thu, Sep 4 2025  system center, active directory, systems management, configuration manager, windows, intune  0
SpinSecurity: Security and ransomware protection for Microsoft 365VMware vSphere 7 resource pool configuration and examples 6 Comments
  1. Nospam King Dingaling 5 years ago

    In your screenshot it shows the gpo being denied for the computer object, not a group. Therefore a simple gpupdate would pick up that change anyway.

    Reply
  2. webtroter.alexis+4sysops Alexis Vézina 4 years ago

    Well, I just came across a case where doing the klist purge doesn’t seem to update the groups, when displaying the groups with whoami /groups.

    I also tried doing a gpupdate, and that didn’t update the groups. That was when I was trying to add a group to a user to give it access. But now, when I remove it, the access is denied immediately, but the groups listing still lists the groups, even after the klist purge.

    Reply
  3. tlinger Tom Linger 4 years ago

    Worked perfectly. Thanks for the posting. Always hated having to reboot when adding a computer to a Security group. Many times, you simply cannot restart a server to pick it up.

    Reply
  4. info VbScrub 4 years ago

    “With NTLM authentication, there is no way around rebooting or logging out.”

    Not true. You can just kill explorer.exe and then launch it again by using runas.exe, as this will perform authentication with a DC and get a new token with the updated group membership for the new explorer process. So now they can access files and folders that are only accessible by those groups you added them to. Obviously requires the user to type their password in as part of the runas bit, but better than having to close everything and log off.

    Reply
  5. Surender Kumar Surender Kumar 3 years ago

    Excellent post as always @wolfgang-sommergut. Thank you for sharing such useful commands.

    Reply
  6. notmyemail Travis G 3 years ago

    I hope this helps the next person, but using klist doesn’t help me at all.

    The issue is we rely on groups for accounts other than the logged-in users. So if someone in accounting had another account like JDoe_Admin, they could use it. So if someone caches their credential before a group change was made, nothing worked…not even deleting the secondary account profile itself. Then I realized that a group changed was made during login. However, this is a hassle since we don’t allow log-ins on secondary accounts.

    So I ended up using runas /user:domain\JDoe_Admin password cmd, and that would update the group permissions right away.

    Reply

Leave a reply Click here to cancel the reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *

Comment

Name *

Email*

Website

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Receive new post notifications

Δ

Twitter Facebook

Linkedin RSS

Subscribe to Newsletter

Follow 4sysops

Twitter Facebook Linkedin RSS

© 4sysops 2006 - 2026 WindowsUpdatePreventer

Log in with your credentials

Sign in Remember me Lost your password?

Forgot your details?

Reset Password I remember my details

Tag » Add Computer To Domain Powershell Without Restart