Refresh Membership In AD Security Groups Without Reboot Or Logoff

Toggle navigation

• IT News
• Blog
• Community
  • Register
  • Forums
    • IT Administration Forum
    • PowerShell Forum
    • Community Forum
  • News
  • PowerShell Group
  • Members
  • Earning as 4sysops member
  • Member Ranks
  • Member Leaderboard – This Month
  • Member Leaderboard – This Year
  • Member Leaderboard – All-time
  • Author Leaderboard – 30 Days
  • Author Leaderboard – 365 Days
• Sitemap
  • AI Ops
  • Cloud Computing
  • DevOps
  • Deployment
  • Security
  • Monitoring
  • Networking
  • PowerShell
  • Sitemap
• About
  • About
  • Authors
  • Write for 4sysops
  • Sponsors
  • Contact
• Register
• Login

Refresh membership in AD security groups without reboot or logoff Home Blog Refresh membership in AD security groups without reboot or logoff

4sysops - The online community for sys and AI ops

Wolfgang Sommergut  Thu, Apr 15 2021Fri, Jul 28 2023  windows server, active directory  6 If you add computers or users to a security group in Active Directory, there will be no immediate effect. The associated permissions only take effect after a user has logged on again or the computer has been rebooted. This can be avoided by renewing the Kerberos tickets. Read 4sysops without ads for freeContents

1. Purging Kerberos tickets
2. Updating memberships for users

• Author
• Recent Posts

Wolfgang SommergutWolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de. Latest posts by Wolfgang Sommergut (see all)

• Assign recommended Windows security settings with the free Harden Windows Security app - Wed, Jun 11 2025
• Activate Windows authentication with a PIN - Mon, Jun 2 2025
• Hyper-V Quick Create: Deploy custom VM images - Mon, May 19 2025

If you make a server a member of an AD group, for example, to include it in the security filtering of a GPO or to grant it permissions to request a certificate, it simply may not be possible to restart it immediately afterwards. However, a reboot is usually necessary to update computer membership in AD groups.

Read 4sysops without ads for free

Purging Kerberos tickets

You can bypass the reboot by renewing the Kerberos ticket for the computer with klist.exe. If you run

klist.exe sessions | findstr /i %COMPUTERNAME%

on a command prompt, you will see that the so-called low part of the local computer's LogonID always has the value 0x3e7, while 0x3e4 belongs to the network service. The corresponding cached Kerberos tickets can be displayed with

klist.exe -li 0x3e7

The low part of the local computers LogonID always has the value 0x3e7

After adding the computer account to a new security group in AD, you can remove them using the purge parameter:

klist.exe -li 0x3e7 purge

Invoking klist.exe li 0x3e7 purge deletes the tickets for the computer account

Subsequently, by executing

gpupdate /force

you will get new tickets. If you run

klist.exe -li 0x3e7

again and compare the output with the earlier use of this command, you will see that the timestamps of the Kerberos tickets have changed.

Using Read 4sysops without ads for free

gpresult /r /scope computer

you can display the groups in which the local computer is a member. However, this command usually does not reflect changes after the ticket was renewed, regardless of whether the account was added to or removed from a group.

However, if you use an AD group for GPO security filtering, then the change has an immediate effect here and is also visible in the output of gpresult. The same applies to the permissions on other resources.

Server2022Preview has been added to the HR group which is not eligible for the WinRM GPO. gpresult does not show the HR group but the effect on filtering.

Updating memberships for users

While servers often cannot be restarted just to update membership in AD groups, it is usually not a major problem for users to log off and on again to gain access to certain resources by changing group memberships.

However, if you want to avoid a logoff, klist.exe can help here as well. In this case, after the user account has been added to a new group, execute Read 4sysops without ads for free

klist purge

on a command line without elevated privileges. The program prints the LogonID of the current user and confirms that the Kerberos tickets for this user have been deleted. To get new ones, you can start another instance of cmd.exe using runas.

After the klist purge a new instance of cmd.exe shows the membership of the user in the group HR

If you run

whoami /groups

there, then the change in the group memberships should already be noticeable. Accordingly, the user should also be able to access a network share, for example via the FQDN of the server, which he was denied before he was added to the new AD group.

It is obvious that the described solution works only for services that support Kerberos. With NTLM authentication, there is no way around rebooting or logging out.

6 Comments Read 4sysops without ads for free

Join our IT community and read articles without ads!

Related Articles

• +

  Blocking user SyncJacking (account hijacking) in Microsoft Entra Connect

  IT Experts  Tue, Jan 27 2026Tue, Jan 27 2026  active directory, security, entra  0
• +

  Microsoft Entra PowerShell v1.2.0 brings Agent Identity Blueprint management and new automation features

  IT Experts  Wed, Jan 21 2026Wed, Jan 21 2026  powershell, active directory, AI, AI agents, entra  0
• +

  Disable weak RC4 encryption on Active Directory domain controllers to prevent Kerberoasting attacks exploiting Kerberos vulnerability CVE-2026-20833

  IT Experts  Tue, Jan 20 2026Tue, Jan 20 2026  encryption, active directory, security  0
• +

  Syncing passkeys with Microsoft Entra ID

  IT Experts  Wed, Dec 31 2025Wed, Dec 31 2025  password, active directory, security, entra, passkey  0
• +

  S2D and SAN coexistence in Windows Server failover clustering for Hyper‑V, SQL Server, and file services

  IT Experts  Mon, Dec 29 2025Mon, Dec 29 2025  virtualization, windows server, hyper‑v, storage, windows, windows server 2025  0
• +

  Microsoft to block unauthorized scripts in Entra ID logins with 2026 CSP update

  IT Experts  Thu, Dec 18 2025Thu, Dec 18 2025  active directory, security, identity, entra  0
• +

  Windows Server 2025 introduces native NVMe support with performance gains of up to 80 percent

  IT Experts  Wed, Dec 17 2025Wed, Dec 17 2025  performance, windows server, storage, windows, windows server 2025  0
• +

  UserLock 13.0: IAM for Active Directory with granular MFA, contextual access controls, and real-time session management

  IT Experts  Tue, Dec 16 2025Thu, Dec 18 2025  authentication, active directory, security, windows  0
• +

  New features in Microsoft Entra: WebView2, AI Agents ID, synced passkeys

  IT Experts  Mon, Dec 15 2025Mon, Dec 15 2025  active directory, cloud computing, azure, identity, entra  0
• +

  Self-service password reset with SMS in Microsoft Entra External ID

  IT Experts  Mon, Dec 15 2025Mon, Dec 15 2025  password, active directory, security, entra  0
• +

  Microsoft removes WINS after Windows Server 2025

  IT Experts  Thu, Nov 27 2025Thu, Nov 27 2025  networking, active directory, security, dns  0
• +

  New Windows 11 25H2 Group Policy settings

  IT Experts  Thu, Nov 13 2025Mon, Dec 8 2025  group policy, active directory, windows, windows 11  0
• +

  Windows Server 2025 WSUS blocks ESU updates

  IT Experts  Fri, Oct 17 2025Mon, Nov 10 2025  patch management, wsus, windows server, security, windows, windows server 2025  0
• +

  Install Linux Subsystem for Windows (WSL) on Windows Server 2025

  Markus Elsberger  Wed, Oct 15 2025Wed, Oct 15 2025  linux, windows server, windows, windows server 2025, wsl  3
• +

  AD replication error 8418: The replication operation failed because of a schema mismatch between the servers involved

  IT Experts  Mon, Oct 13 2025Mon, Oct 13 2025  exchange, windows server, active directory, windows, windows server 2025  0
• +

  Remote Desktop credential delegation (SSO) not working after enabling Credential Guard

  Leos Marek  Thu, Oct 9 2025Fri, Oct 10 2025  windows server, security, remote desktop services, windows  0
• +

  Understanding the interaction between Microsoft Defender for Identity and Secure Score

  IT Experts  Tue, Oct 7 2025Tue, Oct 7 2025  active directory, security, cloud computing, azure  0
• +

  New Administrative Templates (ADMX/ADML) for Windows, Outlook, Word, Excel, and OneNote

  IT Experts  Wed, Sep 24 2025Wed, Sep 24 2025  office, group policy, active directory  0
• +

  Migrate a Print Server to Windows Server 2025

  Leos Marek  Wed, Sep 17 2025Fri, Nov 14 2025  windows server, windows, windows server 2025  0
• +

  MPA Tools: Enhancing Microsoft endpoint management for Windows, Active Directory, Configuration Manager, Intune, and Entra ID

  Brandon Lee  Thu, Sep 4 2025Thu, Sep 4 2025  system center, active directory, systems management, configuration manager, windows, intune  0

SpinSecurity: Security and ransomware protection for Microsoft 365VMware vSphere 7 resource pool configuration and examples 6 Comments

1. King Dingaling 5 years ago

   In your screenshot it shows the gpo being denied for the computer object, not a group. Therefore a simple gpupdate would pick up that change anyway.

   Reply
2. Alexis Vézina 4 years ago

   Well, I just came across a case where doing the klist purge doesn’t seem to update the groups, when displaying the groups with whoami /groups.

   I also tried doing a gpupdate, and that didn’t update the groups. That was when I was trying to add a group to a user to give it access. But now, when I remove it, the access is denied immediately, but the groups listing still lists the groups, even after the klist purge.

   Reply
3. Tom Linger 4 years ago

   Worked perfectly. Thanks for the posting. Always hated having to reboot when adding a computer to a Security group. Many times, you simply cannot restart a server to pick it up.

   Reply
4. VbScrub 4 years ago

   “With NTLM authentication, there is no way around rebooting or logging out.”

   Not true. You can just kill explorer.exe and then launch it again by using runas.exe, as this will perform authentication with a DC and get a new token with the updated group membership for the new explorer process. So now they can access files and folders that are only accessible by those groups you added them to. Obviously requires the user to type their password in as part of the runas bit, but better than having to close everything and log off.

   Reply
5. Surender Kumar 3 years ago

   Excellent post as always @wolfgang-sommergut. Thank you for sharing such useful commands.

   Reply
6. Travis G 3 years ago

   I hope this helps the next person, but using klist doesn’t help me at all.

   The issue is we rely on groups for accounts other than the logged-in users. So if someone in accounting had another account like JDoe_Admin, they could use it. So if someone caches their credential before a group change was made, nothing worked…not even deleting the secondary account profile itself. Then I realized that a group changed was made during login. However, this is a hassle since we don’t allow log-ins on secondary accounts.

   So I ended up using runas /user:domain\JDoe_Admin password cmd, and that would update the group permissions right away.

   Reply

Leave a reply Click here to cancel the reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *

Comment

Name *

Email*

Website

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Receive new post notifications

Δ

Subscribe to Newsletter

Follow 4sysops

© 4sysops 2006 - 2026 WindowsUpdatePreventer

Log in with your credentials

Sign in Remember me Lost your password?

Forgot your details?

Reset Password I remember my details