Terry L@u's blog: Updating security group membership on a computer without rebooting by Klist

Thursday, May 31, 2012

Updating security group membership on a computer without rebooting by Klist

To update security group membership on a computer, we need to restart the computer to take effect. However, we can update security group membership on a computer without rebooting in domain environment by performing "Klist".

What is "Klist"?

"Klist" is a tool which can list and purge the service tickets and ticket-granting-ticket (TGT). By performing "Klist", we can delete all the tickets of the computer logon session.

Remark: "Klist.exe" is available in Windows Server 2008, Windows Server 2008 R2 and Windows 7. To perform "Klist.exe" in Windows Vista, Windows XP, Windows Server 2003 and Windows 2000, you have to install Windows Server Resource Kit Tools.

How come the TGT is deleted on the computer but the computer doesn't restart to update security group membership?

Generally speaking, the existing TGT includes the data of current security group membership. If I delete the existing TGT on the computer, the computer can receive a new TGT which includes the data of the latest security group membership.

When will the computer update the TGT?

By default, restating the computer can update the TGT because the Key Distribution Center (KDC) provides the TGT when the computer logs on.

Goals

Updating the security group membership without restarting the servers.

Test method

I will create a security group named "CA Servers" in the domain controller. Creating a new GPO with "Security Filtering", I will add the servers in "CA Servers" group. I will perform "Klist" and "gpupdate" on the servers to test the result.

Lab environment

1 domain controller which is installed Windows Server 2008
2 member servers which is installed Windows Server 2008

Prerequisites

2 servers named CA01 and CA02 are under "Servers" OU in "pro.corp.contoso.com" domain and make sure the servers has been powered on.

The domain controller is named DC02.

Lab

1. On DC02, log in as Domain Administrator.

2. Launch "Active Directory Users and Computers".

3. Create a group named "CA Servers" in "Servers" OU.

4. Launch "Group Policy Management Console".

5. Navigate to "Servers" OU.

6. Right-click "Servers" OU, select "Create a GPO in this domain, and Link it here".

7. Under "Name", type "CA Servers GPO", click "OK".

8. Next to "Security Filtering", remove "Authenticated Users".

9. Click "Add" to add "CA Servers" group.

10. Right-click "CA Servers GPO", select "Edit".

11. Expand "Computer Configuration > Policies > Administrative Templates > Windows Components > Terminal Services > Terminal Server > Connections".

12. On the right-pane, double-click "Allow users to connect remotely using Terminal Services".

13. Select "Disabled".

14. Click "OK".

15. Close "Group Policy Management Editor".

16. Close "Group Policy Management Console".

17. Back to "Active Directory Users and Computers".

18. Add "CA01" and "CA02" as the member of "CA Servers" group.

19. Click "OK".

20. Close "Active Directory Users and Computers".

Test result

1. On CA01, log in as Domain Administrator.

2. Launch "Command Prompt" with "Administrative privilege".

3. Perform "klist -li 0x3e7 tgt".

The "0x3e7" is the logon identifier of the computer account logon session. You can use "logonsession.exe" from the Sysinternals to find the logon session.