{"id":705,"date":"2019-10-03T11:42:06","date_gmt":"2019-10-03T16:42:06","guid":{"rendered":"http:\/\/zewwy.ca\/?p=705"},"modified":"2020-02-11T18:00:52","modified_gmt":"2020-02-12T00:00:52","slug":"update-computer-group-membership-without-reboot","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2019\/10\/03\/update-computer-group-membership-without-reboot\/","title":{"rendered":"Update Computer Group Membership without Reboot"},"content":{"rendered":"<p><a href=\"https:\/\/www.shellandco.net\/blog\/2016\/07\/07\/update-computer-membership-without-reboot\/\">Source<\/a><\/p>\n<p>Purge the computer account kerberos tickets<\/p>\n<pre><span id=\"crayon-5d9618bbd68c5857918509\" class=\"crayon-syntax crayon-syntax-inline crayon-theme-twilight crayon-theme-twilight-inline crayon-font-monaco\"><span class=\"crayon-pre crayon-code\"><span class=\"crayon-v\">klist<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">-<\/span><span class=\"crayon-i\">lh<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">-<\/span><span class=\"crayon-i\">li<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x3e7<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">purge<\/span><\/span><\/span><\/pre>\n<p>Force the gpo re-evaluation<\/p>\n<pre><span id=\"crayon-5d9618bbd68c7332469646\" class=\"crayon-syntax crayon-syntax-inline crayon-theme-twilight crayon-theme-twilight-inline crayon-font-monaco\"><span class=\"crayon-pre crayon-code\"><span class=\"crayon-v\">gpupdate<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">force<\/span><\/span><\/span><\/pre>\n<p>Any previous attempt for access via newly added group membership should work; such as in this example I created a new Group, added this computer object into it, created a gMSA granting the group permission to use it, however the computer was not rebooted since added it into the group which was allowed access to install the gMSA.<\/p>\n<pre>PS C:\\Windows\\system32&gt; New-ADGroup -Name \"gMSANewGroup\" -SamAccountName gMSANewGroup -GroupCategory Security -GroupScope Domain -DisplayName \"gMSANewGroup\" -Path \"CN=Managed Service Accounts,DC=zewwy,DC=ca\" -Description \"Members of this group get Access to gMSATest2\"\r\nPS C:\\Windows\\system32&gt; Add-ADGroupMember \"gMSANewGroup\" -Members \"THISCOMP$\"\r\nPS C:\\Windows\\system32&gt; New-ADServiceAccount -name gMSATest2 -DNSHostName gMSATest2.zewwy.ca -PrincipalsAllowedToRetrieveManagedPassword \"gMSANewGroup\"<\/pre>\n<p>Then Attempting to install the gMSA fails as the computer object hasn&#8217;t updated its group memberships locally, even though it has replicated throughout the domain, but following the command above to purge the computers tickets worked:<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/uhi7fMc.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/uhi7fMc.png\" alt=\"\" width=\"857\" height=\"332\" \/><\/a><\/p>\n<p>Hope this helps someone who needs to do granular group control but also don&#8217;t have the ability to reboot the host machine for service disruptions. \ud83d\ude42<\/p>\n<p>*NOTE* This does not apply to user group mapping. LSASS deal with users permission within groups (use whoami \/groups) to see what I mean. a gpupdate \/force, and a klist purge will not cause LSASS to update a users group membership. Users will still require to log off and back on for LSASS to apply new group memberships. Sorry!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Source Purge the computer account kerberos tickets klist -lh 0 -li 0x3e7 purge Force the gpo re-evaluation gpupdate \/force Any previous attempt for access via newly added group membership should work; such as in this example I created a new Group, added this computer object into it, created a gMSA granting the group permission to &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/zewwy.ca\/index.php\/2019\/10\/03\/update-computer-group-membership-without-reboot\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Update Computer Group Membership without Reboot&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[8,197],"tags":[],"class_list":["post-705","post","type-post","status-publish","format-standard","hentry","category-server-administration","category-windows"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/705","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=705"}],"version-history":[{"count":3,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/705\/revisions"}],"predecessor-version":[{"id":832,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/705\/revisions\/832"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=705"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}