none
Downsides to updating computer group membership using the 'klist' command?

    Question

  • There are several sites that discuss using 'klist' to update computer group memberships without rebooting.

    e.g. https://www.shellandco.net/update-computer-membership-without-reboot/

    Are there any downsides to performing this action? Will this disrupt active sessions (connections)?

    TIA!

    Thursday, January 12, 2017 8:43 PM

All replies

  • There are several sites that discuss using 'klist' to update computer group memberships without rebooting.

    e.g. https://www.shellandco.net/update-computer-membership-without-reboot/

    Are there any downsides to performing this action? Will this disrupt active sessions (connections)?

    TIA!

    Hi,

    the membership group is included in kerberos ticket.
    If you want to update kerberos after membership group update , you can purge it , and when the user will try to access on the ressource next time , it will get a new ticket TGT with the right membership group.

    You should run the followings command:

    klist purge
    
    gpupdate /force

    Thursday, January 12, 2017 9:12 PM
  • Thanks Thameur. I've already executed the command a few times - I know it works.

    What I'd like to know is whether there are any downsides to running it. Does it have the potential to cause issues on the server in question?

    Thursday, January 12, 2017 9:20 PM
  • Thanks Thameur. I've already executed the command a few times - I know it works.

    What I'd like to know is whether there are any downsides to running it. Does it have the potential to cause issues on the server in question?

    No downtime , if the server is able to contact the domain controller to get the new kerberos ticket.

    If, you notice a downtime , it means that the server has a problem to contact domain controller.

    • Proposed as answer by Todd Heron Friday, January 13, 2017 3:52 AM
    Thursday, January 12, 2017 9:26 PM
  • running klist purge at a cmd prompt clears the USER's Kerberos tokens.

    Not the compter's tokens.

    You need to run klist in the system context. Not your user's context, which would be the default when you open a cmd prompt.

    Saturday, December 16, 2017 4:17 PM