Why don't Windows domain machines periodically query security group membership, like other things?

WakeDemons3

11/8/22, 4:51 PM

When I was in lower tier support (and sometimes still), one of the most annoying sequences of events was a request for new file permissions >> add user to security group and specify in the reply "you must log out and back into your machine". 20 minutes later, "I'M STILL GETTING DENIED PERMISSION!!". Because you didn't log out and back in did you

Why don't Windows machines in an AD domain periodically query and update the user group membership like they do for group policies and many other things?

1 + 0

windows

active-directory

domain

security-groups

Score:3

Server

slightly_toasted

11/8/22, 6:42 PM

The need to log out is due to AD group memberships only updating when a Kerberos ticket is created, which occurs during login.

You can refresh a computer's Kerberos ticket by running klist -li 0:0x3e7 purge on an elevated command line, followed by gpupdate /force if you need to update the group policy.

Referece: http://woshub.com/how-to-refresh-ad-groups-membership-without-user-logoff/

0 + 2

WakeDemons3

11/8/22, 7:00 PM

I'm going to select this answer because it's literally true. But I more wanted the "why". Why doesn't the PC do this kerberos ticket purge and update as a background process just like with GPOs (every 90 minutes), or DNS lists, or NTP, etc.

slightly_toasted

11/8/22, 7:30 PM

@WakeDemons3 I would assume it has to do with the tradeoff between using up resources (mostly CPU) to regenerate the Kerberos ticket, multiplied by all logged in accounts on the domain. Vs. Causing a slight inconvenience when a group membership change occurs. Also, due to Kerberos being stateless, it wouldn't be possible for the AD to trigger a ticket regeneration on account membership change.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why don't Windows domain machines periodically query security group membership, like other things?

TH: เหตุใดเครื่องโดเมน Windows จึงไม่สอบถามการเป็นสมาชิกกลุ่มความปลอดภัยเป็นระยะๆ เหมือนอย่างอื่น

RO: De ce mașinile de domeniu Windows nu interoghează periodic apartenența la grupuri de securitate, ca și alte lucruri?

RU: Почему компьютеры домена Windows периодически не запрашивают членство в группе безопасности, как и другие вещи?

VI: Tại sao các máy miền Windows không định kỳ truy vấn tư cách thành viên nhóm bảo mật, giống như những thứ khác?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.