During my DirectAccess deployments projects, I have to deal with security group membership for computer accounts. Restarting my DirectAccess clients to update the computer Kerberos ticket takes times. Waiting for the tickets to be renewed takes too much time. There might have an alternate solution. Let’s have a look at the great tools of Mark RUSSINOVICH available at this location.
Let start with the initial state of my DirectAccess computer. The GPRESULT.EXE command result indicates that the computer is not already member of the “Lazy Admin group”. I don’t want to restart the computer!
First SysInternalTool : LOGONSESSIONS.EXE that provides information about sessions opened on the DirectAccess client computer. We can see that the computer account have a Kerberos Ticket. The local System account SID is : S-1-1-18 :
We now have the LogonID of the Computer account. Let’s have some additional information about this session with the KLIST.EXE command line.
We have Kerberos tickets negotiated by the computer account. Let’s purge these tickets.
An force the computer to obtain new Kerberos tickets with a simple GPUPDATE.EXE /FORCE command.
Does my computer negotiate new Kerberos tickets? Yes! Let’s look at the GPRESULT.EXE results. And surprise, the computer is now member of a new security group and apply a new GPO.
It is simple by design. SysInternal Tools are best friends of the lazy admins.
BenoitS – Simple and Secure by design but Business compliant.