Re: Computer Account Group Membership

Thanks Paul.

"Paul Bergson [MVP-DS]" wrote:

This is news to me. I have some resources, I will see what I can find out
but it might take a day or two.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"BenP" <BenP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:983720A1-E839-410F-AC31-4050F845EAEF@xxxxxxxxxxxxxxxx
I have proven that I can just leave the machine and after 7 days the policy
will apply, so far as I can work out this is down to the default kerberos
policy 'Maximum lifetime for user ticket renewal' = 7 days after which
time a
new kerberos exchange occurs, the machine "logs on" and the PAC gets
rebuilt
with the additonal group membership.

I dont want to wait and can't reboot so is there any way of forcing this
process or should I raise a ticket with MS?

Rgds

"Paul Bergson [MVP-DS]" wrote:

I don't know how waiting seven days is going to help as far as I know the
machine has authenticated to the domain and until it re-authenticates
(Reboot) I don't see how it can change its group membership token. The
only
way I am aware of is a reboot.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"BenP" <BenP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:90BB3F45-59FC-46AF-B57F-FF83C37B39CC@xxxxxxxxxxxxxxxx
I am using computer account 'filter' groups to apply policy.

I add a computer account to the the group. I then have to reboot or
wait 7
days (renewable kerberos tickets) for the membership and policy to
apply.

How can I force this to happen without rebooting, I have tried
variations
of
purging kerberos tickets and nltest and netdom to reset the secure
channel
or
cycle the password but this doesnt seem to do it.

Rgds






.

Relevant Pages

  • Re: Computer Account Group Membership
    ... MVP - Directory Services ... 2003, 2000 (Early Achiever), NT ... I dont want to wait and can't reboot so is there any way of forcing ...
    (microsoft.public.windows.server.active_directory)
  • Re: Computer Account Group Membership
    ... Paul Bergson ... I dont want to wait and can't reboot so is there any way of forcing this ... I don't see how it can change its group membership token. ... days (renewable kerberos tickets) for the membership and policy to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Computer Account Group Membership
    ... I have proven that I can just leave the machine and after 7 days the policy ... I dont want to wait and can't reboot so is there any way of forcing this ... I don't see how it can change its group membership token. ... days (renewable kerberos tickets) for the membership and policy to apply. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Exchange advice for everyone
    ... Most of us would have probably rebooted before calling Microsoft (or at ... least restarted Exchange services). ... > had about 400 other e-mails. ... > just reboot! ...
    (microsoft.public.exchange.admin)
  • Old e-mails repopulating after rebooting Exch 2k3 server
    ... When I reboot my Exchange 2003 server running Server 2003 I get old e-mails ... that have been read or deleted flooding back into users mailboxes. ...
    (microsoft.public.exchange.misc)