Group Membership Updates

In most cases, when updating the group membership of an Active Directory user, Microsoft will recommend logging out and then back in again for it to take effect. When updating the group membership information for a computer account, a reboot is recommended. Hardly desirable in production environments.

This isn’t related to Hyper-V or Tintri directly and likely impacts any of your applications or services that use Kerberos for authentication.

One of the reasons it’s necessary to log out or reboot is that our (now stale) group membership information is included in Kerberos tickets, which are cached and reused. Only once a ticket needs to be renewed is the new group membership information included. The cache is cleared when you log out and back in, or when the host reboots. There is a cache for every logged in user as well as a cache for the computer itself.

The klist command can also be used to purge a given Kerberos credentials cache without the need for logging out and back in again. Just run klist purgeas the user whose cache you want to clear (presumably yourself) on the host with the cache tickets.


Easy. The next time you attempt to use a service that uses Kerberos authentication, a new service ticket will be requested and should have the latest group membership information (Active Directory replication willing).

Specifying the special, well-known logon ID (0x3e7) for that same klist purge command, we can clear the computer account’s Kerberos credentials cache, which will result in new tickets being requested and issued for Kerberised network services.


Note that this operation cannot be performed unless running as an elevated user. Running unelevated will result in the following failure:


Purging the credentials cache won’t interrupt any existing services or sessions.

Many protocols (SMB 3.0 for example) only request ticket and authenticate at the start of a session. So it may also be necessary to disconnect and reconnect things like network drives. This is often more desirable than a system reboot.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s