On Tue, Jun 20, 2017 at 12:29 PM, Charles F Sullivan <charles.sulliva...@bc.edu> wrote: > I don't think I've ever had a server successfully get group membership in > its access token without a reboot. We all know that a user has to log out > and back on. A machine has to reboot.
Actually not ... http://www.windowsnetworking.com/kbase/WindowsTips/Windows7/AdminTips/Admin/Forcingre-evaluationofcomputergroupmembership.html > Not sure if there's an alternative to rebooting, like restarting the > netlogon service, and I'm not sure why you're seeing some servers that got > the group membership without a reboot, but I would stop right there until > the servers have been rebooted. I think I might know. If you do a klist -li 0x3e7 (to show the Kerberos ticket cache of the computer account), you can see the ticket refresh times. (there are like 11 computer Kerberos tickets, apparently). I think that when the tickets are refreshed, it finds out it's new group memberships. And so new reboot needed. That's just a guess ...