Thursday, December 15, 2016

Updating computer's AD Security Group membership without rebooting

I found the following to be very useful -

From the elevated command prompt execute “klist –li 0x3e7” to view the logon session of the computer account. To purge them, simply execute “klist –li 0x3e7 purge”.

A typical use case might involve targeting GPOs based on computer's group membership. When you add computer to the group in order to test the application of policies you can reboot it or, alternatively, run the above mentioned to clear logon sessions, then do “gpupdate /force” and check.

In a spirit of giving credit where credit is due, I found a few references to this, but the one I learned it from was