If you ever tested stuff that is based on AD-Groups for Computers – like GPO Software deployment – you have experienced that the PC “knows” its new group membership only after a reboot or after seven days of waiting….
After searching a while I found a way to get membership changes without reboot:
Open a command promt in the system user context and purge the kerberos tickets to get new ones, e.g. with the great tool psexec :
a) Download psexec
b) open an elevated command promt, navigate to the folder you downloaded psexec to and start psexec with the paramter “-s” to start the session on the local PC in system user context:
psexec –s cmd
c) run “klist –li 0x3e7 purge”
d) the Keberos tickets get renewed and the new group membership is also populated
On Windows 7 and beyond/Server 2008 and beyond klist is coming with the OS, on Windows XP/Vista/Server 2003 you have to get klist form the Windows Server 2003 Resource Kit Tools.
Thanks to Darren for sharing this great tipp!