How to Refresh Active Directory Group Membership in Windows.
There are two paths to refresh user group membership in Active Directory and apply new settings or changes without waiting for automatic applies:
- Log off and log in again. This action checks all groups that the user is a member of. (Simplest way)
- Reset Kerberos Tickets cache (Hard way)
Reset Kerberos Tickets cache
NOTE: This method will work only for network services supporting Kerberos authentication (as for example access to network printers). The services working only with NTLM authentication still require logoff and logon of a user or Windows restart.
You can get the list of groups the current user is a member of in the Windows PowerShell or Command Prompt (CMD) using the following command:
whoami /groups
or GPResult
gpresult /r
NOTE: The list of groups a user is a member of is displayed in the section The user is a part of the following security groups.
Kerberos tickets can be reset without the restart of a computer using klist.exe. Klist is included in OS Windows since Windows 7.
Computer membership
1. Right mouse button click on Start button and run Windows PowerShell (Admin)(Also you can use cmd);
2. To reset the whole cache of Kerberos tickets on a computer and update the computer membership in AD groups, run the following:
klist -lh 0 -li 0x3e7 purge
NOTE: 0x3e7 is a special identifier showing the session of the local computer (Local System).
After running the command and updating the policies, all policies assigned to the Active Directory group using Security Filtering will be applied to the computer.
User membership
1. Right mouse button click on the Start button and run Windows PowerShell (Admin)(Also you can use cmd);
2. Reset all Kerberos tickets of the user with this command:
klist purge