Forcing re-evaluation of computer group membership

by Mitch Tulloch [Published on 1 Dec. 2011 / Last Updated on 1 Dec. 2011]

How to force re-evaluation of computer group membership after the user has logged on.

Per-machine Group Policy, and security group membership for both users and computers, is only processed during the initial startup/login process. You can trigger re-evaluation of computer group membership however by using the Klist command, which is part of the Windows Server 2003 Resource Kit Tools, by running the following command:

klist –li 0x3e7 purge

Then run this command on the computer:

gpupdate /force

The first command clears the Kerberos ticket cache for the computer account (that’s the 0x3e7 part) while the second command causes the computer to authenticate anew and determine its new group membership.

The Windows Server 2003 Resource Kit Tools can be downloaded from http://go.microsoft.com/fwlink/?LinkId=77796

Mitch Tulloch is a Microsoft Most Valuable Professional (MVP) and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .

Latest Contributions

Featured Links