If you purge the TGT and then try to access a network resource by FQDN then a new TGT with upgraded memberships should be issued.
You can test with klist tgt to see in action. From: James Rankin [mailto:[email protected]] Sent: Tuesday, April 20, 2010 8:47 AM To: NT System Admin Issues Subject: Re: Group membership updates We tend to deploy applications to users via group membership. The shortcuts to applications are held in a single shared desktop folder, with NTFS permissions on each shortcut linking to the application group. It is quick and dirty and saves writing new entries to the relevant GPOs every time you want to push out a new app. However, some of our more PITA users are complaining that they have to log off and back on when a new app is deployed, so we were trying to give them a way to update their group memberships dynamically by running some sort of shortcut on their desktop. I considered klist, but does that not just purge the Kerberos token and you have to reacquire a new one at login time? I've never used it before - that was just what I read in a couple of forums. Cheers, On 20 April 2010 16:40, Free, Bob <[email protected]> wrote: Is the issue around Kerberos tickets? Is it that YOU want to update Their memberships or you want Them to be able to do it to themselves? You could have them purge their tickets with klist if they are somewhat savvy... From: James Rankin [mailto:[email protected]] Sent: Tuesday, April 20, 2010 3:40 AM To: NT System Admin Issues Subject: Group membership updates I know that there's probably no way of doing this, but I thought I'd ask....is there any way of updating a logged-on user's AD group memberships without them logging out of the system? Everything I've read suggests that there is no way to update an access token except by logging in again, so short of launching an application with a RunAs command, I think I may be pretty much snookered. I live in hope though..... TIA, JRR -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
