Purge the computer account kerberos tickets
klist -lh 0 -li 0x3e7 purge
Force the gpo re-evaluation
Any previous attempt for access via newly added group membership should work; such as in this example I created a new Group, added this computer object into it, created a gMSA granting the group permission to use it, however the computer was not rebooted since added it into the group which was allowed access to install the gMSA.
PS C:\Windows\system32> New-ADGroup -Name "gMSANewGroup" -SamAccountName gMSANewGroup -GroupCategory Security -GroupScope Domain -DisplayName "gMSANewGroup" -Path "CN=Managed Service Accounts,DC=zewwy,DC=ca" -Description "Members of this group get Access to gMSATest2" PS C:\Windows\system32> Add-ADGroupMember "gMSANewGroup" -Members "THISCOMP$" PS C:\Windows\system32> New-ADServiceAccount -name gMSATest2 -DNSHostName gMSATest2.zewwy.ca -PrincipalsAllowedToRetrieveManagedPassword "gMSANewGroup"
Then Attempting to install the gMSA fails as the computer object hasn’t updated its group memberships locally, even though it has replicated throughout the domain, but following the command above to purge the computers tickets worked:
Hope this helps someone who needs to do granular group control but also don’t have the ability to reboot the host machine for service disruptions. 🙂
*NOTE* This does not apply to user group mapping. LSASS deal with users permission within groups (use whoami /groups) to see what I mean. a gpupdate /force, and a klist purge will not cause LSASS to update a users group membership. Users will still require to log off and back on for LSASS to apply new group memberships. Sorry!