To update security group membership on a computer, we need to restart the computer to take effect. However, we can update security group membership on a computer without rebooting in domain environment by performing "Klist".
What is "Klist"?
"Klist" is a tool which can list and purge the service tickets and ticket-granting-ticket (TGT). By performing "Klist", we can delete all the tickets of the computer logon session.
Remark: "Klist.exe" is available in Windows Server 2008, Windows Server 2008 R2 and Windows 7. To perform "Klist.exe" in Windows Vista, Windows XP, Windows Server 2003 and Windows 2000, you have to install Windows Server Resource Kit Tools.
How come the TGT is deleted on the computer but the computer doesn't restart to update security group membership?
Generally speaking, the existing TGT includes the data of current security group membership. If I delete the existing TGT on the computer, the computer can receive a new TGT which includes the data of the latest security group membership.
When will the computer update the TGT?
By default, restating the computer can update the TGT because the Key Distribution Center (KDC) provides the TGT when the computer logs on.
Goals
Updating the security group membership without restarting the servers.
Test method
I will create a security group named "CA Servers" in the domain controller. Creating a new GPO with "Security Filtering", I will add the servers in "CA Servers" group. I will perform "Klist" and "gpupdate" on the servers to test the result.
Lab environment
- 1 domain controller which is installed Windows Server 2008
- 2 member servers which is installed Windows Server 2008
Prerequisites
2 servers named CA01 and CA02 are under "Servers" OU in "pro.corp.contoso.com" domain and make sure the servers has been powered on.
The domain controller is named DC02.
Lab
1. On DC02, log in as Domain Administrator.
2. Launch "Active Directory Users and Computers".
3. Create a group named "CA Servers" in "Servers" OU.
4. Launch "Group Policy Management Console".
5. Navigate to "Servers" OU.
6. Right-click "Servers" OU, select "Create a GPO in this domain, and Link it here".
7. Under "Name", type "CA Servers GPO", click "OK".
8. Next to "Security Filtering", remove "Authenticated Users".
9. Click "Add" to add "CA Servers" group.
10. Right-click "CA Servers GPO", select "Edit".
11. Expand "Computer Configuration > Policies > Administrative Templates > Windows Components > Terminal Services > Terminal Server > Connections".
12. On the right-pane, double-click "Allow users to connect remotely using Terminal Services".
13. Select "Disabled".
14. Click "OK".
15. Close "Group Policy Management Editor".
16. Close "Group Policy Management Console".
17. Back to "Active Directory Users and Computers".
18. Add "CA01" and "CA02" as the member of "CA Servers" group.
19. Click "OK".
20. Close "Active Directory Users and Computers".
Test result
1. On CA01, log in as Domain Administrator.
2. Launch "Command Prompt" with "Administrative privilege".
3. Perform "klist -li 0x3e7 tgt".
The "0x3e7" is the logon identifier of the computer account logon session. You can use "logonsession.exe" from the Sysinternals to find the logon session.
4. Perform "gpupdate /force" to update the group policy.
5. Perform "rsop.msc" to verify the group policy.
The CA Servers GPO doesn't apply to CA01 because the security group membership on CA01 doesn't update.
6. Close "Resultant Set of Policy".
7. Back to "Command Prompt", perform "klist -li 0x3e7 purge".
All tickets of the computer has been deleted.
8. Perform "gpupdate /force" to update the group policy.
9. Perform "rsop.msc" to verify the group policy.
As a result, the GPO has been applied to CA01. It means CA01 received
a new TGT which includes the data of the latest security group membership.
10. Close "Resultant Set of Policy".
11. Perform "klist -li 0x3e7 tgt" to verify the TGT.
The TGT of CA01 was updated.
12. Go to CA02, log in as Domain Administrator.
13. Launch "Command Prompt" with "Administrative privilege".
14. Perform "gpupdate /force" to update the group policy.
15. Perform "rsop.msc" to verify the group policy.
16. Close "Resultant Set of Policy".
17. Restart CA02.
18. Perform "rsop.msc" to verify the group policy.
The GPO has been applied to CA02 because CA02 received a new TGT which includes the data of the latest security group membership.
Reference:
Updating a server's security group membership without rebooting
For more information:
Klist
LogonSessions
Kerberos Explained
Understanding Microsoft Kerberos PAC Validation
This posting is provided “AS IS” with no warranties, and confers no rights!
Good stuff! Thanks.
ReplyDelete