Re: Renewing Kerberos ticket
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/01/05
- Next message: Amihai Bareket: "Re: Renewing Kerberos ticket"
- Previous message: Amihai Bareket: "Renewing Kerberos ticket"
- In reply to: Amihai Bareket: "Renewing Kerberos ticket"
- Next in thread: Amihai Bareket: "Re: Renewing Kerberos ticket"
- Reply: Amihai Bareket: "Re: Renewing Kerberos ticket"
- Reply: Herb Martin: "Re: Renewing Kerberos ticket"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 28 Feb 2005 23:25:50 -0700
The account must log off and back on.
There is no other way. Refreshing a ticket does not
refresh the user token that is in use. Only getting a
new TGT through login authentication does that.
However, there is something that does not make sense in
what you have said.
The user runs a script that creates a group and adds themselves
to the group. The script then attempts to alter an ACL but are
denied due to permissions. You say that if their user token
were refreshed to see the new group and their membership in
it then they would not be denied. I do not see how that is so,
but do see how that seems impossible.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Amihai Bareket" <amihai73@hotmail.com> wrote in message news:eQGERJiHFHA.3076@tk2msftngp13.phx.gbl... > I'm working with a script that's creating new AD Security groups and > changing their membership. > The user that runs the script is added as a member of the new groups. > Once the groups are created I need the script to create folders and set ACL > on these folders using the new groups. > Because the groups are newly created, the information that indicates that > the logged in user (the one that's running the script) is a member of the > new groups is not included in the Kerberos ticket he's been granted on > logon. > The permission change on the file system fails because of this with an > access denied message (makes sense...). I'm using XCACLS to set the > permissions on the new folders. > > Is there a way to request a renewal to a user's Kerberos ticket from a > script or batch so that he will receive a new or renewed ticket with the new > group information? > > >
- Next message: Amihai Bareket: "Re: Renewing Kerberos ticket"
- Previous message: Amihai Bareket: "Renewing Kerberos ticket"
- In reply to: Amihai Bareket: "Renewing Kerberos ticket"
- Next in thread: Amihai Bareket: "Re: Renewing Kerberos ticket"
- Reply: Amihai Bareket: "Re: Renewing Kerberos ticket"
- Reply: Herb Martin: "Re: Renewing Kerberos ticket"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
