Security Privileges not applied till next logon

[humbletech99]

I have a Windows 2003 active directory domain and I find that when assigning or revoking security privileges via group memberships as standard they don't take effect until the user logs off and back on again.

This is a problem from the point of view that users can't access files until they log off and back on to get the effective group membership to access the files that have permissions assigned to the group.

It's also a problem from the point of view of revoking privileges. If I revoke an administrator for example, the account still has administrative rights indefinitely until it logs off!

Is there a way to force the security changes, group membership changes etc to take effect without having users log off and back on again?

 

[itsfuntobeme]

There is no way to avoid this. When the user logs on using kerberos (NTLM hs similar features), the group membership SIDs are stored in the optional component of the kerberos authentication packet. The expiration for this data is not instant (going completely from memory, it has 7 days cache?).

This is actually a good thing - otherwise each time a user attempted any action with security (and almost every action is security-enabled), it would have to re-authenticate with the DC. Just think of EVERY file access - EVERY process launch needing DC authentication - it would kill the server, log far too much data to be of use on the DC, and flood bandwidth!

There is a (GPO?) method of decreasing the cache time of kerberos authentication - I just don't remember how at the moment.

I haven't ever tried - but you could attempt gpupdate /target:user /force - strictly speaking it shouldn't work - but for 30 seconds...

There is a ResKit tool to show kerberos information for the current user if you plan on testing.