Re: Modifying Security Group memberships require reboot!

Tech-Archive recommends: Speed Up your PC by fixing your registry

No you can't update computer local security tokens without a reboot, that is when computers do their actual logon. It is the same as user's logging on, they don't get their local interactive token refreshed until they log off and log on.

Nothing about windows is real-time.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


M. Eteum wrote:
This is the last message I got from the group_policy guru:

Darren Mar-Elia (MVP) wrote:
No problem. My environment was an XP client in W2K3 domain. ran klist as localSystem via AT, as you specified. I had also trying doing this before using kerbtray and had the same results. Apparently, the computer's security token is only built once, at reboot. So, even though it periodically gets a new TGT, the security token is not updated during a typical Kerberos refresh cycle. Would have been nice...


To AD Gurus -- just to be sure,
I posted and followed the thread in Microsoft.public.windows.group_policy under "GPO Updates Latency and Reboot requirements" thread, and somewhat disappointed knowing that there is no way to add/remove membership of the Security Groups without rebooting. I have 250 or so server that is almost impossible to get approval for rebooting without going thru bureaucracy debacle.

Is there a way to ask Windows to re-read the security token after it's rebooted? I'm wondering if Microsoft security mechanism is dynamic and real-time? I'd presume that real-time security is quite important in a multi-user, multi-tasking, and networked environment.

Thank you in advance.

M.

.