… or: How to update group membership information of the computer account?

When updating Active Directory group membership of your users you usally ask them to logoff and logon again – or even to reboot the machine. You don’t tell them why, you just tell them to do so. What happens? When logging on again the group membership information of a user (within their kerberos tickets) gets updated and they can access the ressources they have access to. When rebooting some additional magic takes place and the kerberos tickets of the system account get updated.

You can check which tickets a user has by using the klist command:

klist for current user

But how about the system / computer account. You can’t logoff and logon the system account. You would need to restart the system – or wait for the tickets to expire, which is, by default, about 9 hours. klist can do that for you again. By running

klist -li 0x3e7

you get a list of the system account’s tickets:

klist showing kerberos tickets of the system account

 

And by running

klist -li 0x3e7 purge

you can delete all tickets and force the system to get new ones with updated group membership information without rebooting at all:

klist purge for system account

The important part of running this command is to use the li parameter which is the lower part of the desired users logon id. For the system account this is 0x3e7.