A Windows computer account will determine it's group membership when the computer is started. If the computer account is added to another group the group membership will not take affect automatically. This is painful in some situations such as modifying group policy based on group memberships. These settings will not take affect until the computer is restarted. To work around this you can perform the following steps:
Note - the following steps must be run from a command prompt with elevated privileges.
First run the following command to purge the computers Kerberos tickets. This forces the computer account to re-authenticate with the domain controller and rebuild it's group memberships.
klist -lh 0 -li 0x3e7 purge
Now that the group memberships have been updated we can reapply Group Policy:
gpupdate /force
Finally check the results by running the Gpresult command. This will return the group memberships and policies applied to both the user and computer accounts.
gpresult /r
No comments:
Post a Comment