Update Computer Account Group Membership without Rebooting


Often times when working with SMS 2003 in advanced security mode the need arises to add computer objects to active directory groups. Normally for a computer account to become aware of the group membership change a reboot is required.  Often it is difficult to arrange for the scheduled downtime necessary to reboot a production server.

I've used the below procedure to update the computer's security token without rebooting.  This does take a bit of effort, but it doesn't involve rebooting your server.

  • Download the Klist utility. You'll need to install the .msi package and get klist.exe from the install directory.
  • Next you need to launch an interactive command prompt running as the system account

              Click Start -> Run ->  "AT <time> /i cmd.exe" 

  • (NOTE:  If you are trying to launch an interactive command prompt via a remote desktop session to your server you will need to be logged on to session 0 to see the command prompt.  You can do this by using the following command when connecting to the server.  "mstsc /console" )
  • When command prompt is launched.

               Run "klist purge"

  • Run Gpupdate /force

 

Your computer's security token should now be updated.

Comments (5)
  1. Often times when working with SMS 2003 in advanced security mode the need arises to add computer objects

  2. Fantastic tip. Thank you very much!

    Vinicius Canto

    MVP Windows Server – Admin Frameworks

    Brazil

  3. Hey, keep up the blog posts! Interesting stuff!

  4. AaronT says:

    I was just trying to confirm security group membership (for computers) required a reboot.  Thanks for confirming and also for the workaround.

  5. Jakob Heidelberg says:

    You could also use: klist –li 0x3e7 purge

Comments are closed.

Skip to main content