Update Computer Account Group Membership without Rebooting

Often times when working with SMS 2003 in advanced security mode the need arises to add computer objects to active directory groups. Normally for a computer account to become aware of the group membership change a reboot is required.  Often it is difficult to arrange for the scheduled downtime necessary to reboot a production server.

I've used the below procedure to update the computer's security token without rebooting.  This does take a bit of effort, but it doesn't involve rebooting your server.

• Download the Klist utility. You'll need to install the .msi package and get klist.exe from the install directory.
• Next you need to launch an interactive command prompt running as the system account

              Click Start -> Run ->  "AT <time> /i cmd.exe"  

• (NOTE:   If you are trying to launch an interactive command prompt via a remote desktop session to your server you will need to be logged on to session 0 to see the command prompt.  You can do this by using the following command when connecting to the server.  "mstsc /console" )
• When command prompt is launched.

               Run "klist purge"

• Run Gpupdate /force

 

Your computer's security token should now be updated.

Comments

• Anonymous
  January 30, 2008
  Often times when working with SMS 2003 in advanced security mode the need arises to add computer objects

• Anonymous
  January 31, 2008
  Fantastic tip. Thank you very much! Vinicius Canto MVP Windows Server - Admin Frameworks Brazil

• Anonymous
  February 04, 2008
  Hey, keep up the blog posts! Interesting stuff!

• Anonymous
  March 18, 2010
  I was just trying to confirm security group membership (for computers) required a reboot.  Thanks for confirming and also for the workaround.

• Anonymous
  September 20, 2012
  You could also use: klist –li 0x3e7 purge