Thanks! I will do some testing On 20 April 2010 17:00, Free, Bob <[email protected]> wrote:
> If you purge the TGT and then try to access a network resource by FQDN > then a new TGT with upgraded memberships should be issued. > > > > You can test with klist tgt to see in action. > > > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Tuesday, April 20, 2010 8:47 AM > > *To:* NT System Admin Issues > *Subject:* Re: Group membership updates > > > > We tend to deploy applications to users via group membership. The shortcuts > to applications are held in a single shared desktop folder, with NTFS > permissions on each shortcut linking to the application group. It is quick > and dirty and saves writing new entries to the relevant GPOs every time you > want to push out a new app. However, some of our more PITA users are > complaining that they have to log off and back on when a new app is > deployed, so we were trying to give them a way to update their group > memberships dynamically by running some sort of shortcut on their desktop. > > I considered klist, but does that not just purge the Kerberos token and you > have to reacquire a new one at login time? I've never used it before - that > was just what I read in a couple of forums. > > Cheers, > > On 20 April 2010 16:40, Free, Bob <[email protected]> wrote: > > Is the issue around Kerberos tickets? Is it that YOU want to update Their > memberships or you want Them to be able to do it to themselves? You could > have them purge their tickets with klist if they are somewhat savvy… > > > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Tuesday, April 20, 2010 3:40 AM > *To:* NT System Admin Issues > *Subject:* Group membership updates > > > > I know that there's probably no way of doing this, but I thought I'd > ask....is there any way of updating a logged-on user's AD group memberships > without them logging out of the system? Everything I've read suggests that > there is no way to update an access token except by logging in again, so > short of launching an application with a RunAs command, I think I may be > pretty much snookered. I live in hope though..... > > > TIA, > > > > JRR > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
