I am using Windows Server 2008 R2 and have a windows service running under "network service" account in computer ComputerA. This windows service want to access a share folde (on another computer ComputerB) which grant read permission to a group GroupA. So I need to add the the computer account of ComputerA to the GroupA and restart the ComputerA.
My question is: is there a way to let the group membership immedialy take effect without restarting the ComputerA?
PSExec is a free SysInternals download from Microsoft.
To clear up any confusion, this process absolutely will refresh the group memberships of a computer, and allow a group policy that applies to a security group to now apply to the computer, without rebooting the computer. This has been tested and verified on Windows Server 2012 R2 and Windows Server 2008 R2 and a universal security group. The short version would be:
psexec -s -i -d cmd.exeklist tgt(view the current ticket, make note of the size. Also note that since you are running as system, the Current Logon Id is 0x3e7)klist purgenltest /dsgetdc:domain.com(run this or any other command that will connect to a network resource and force a TGT request)klist tgt(view the current ticket, make note of the size. It should be slightly larger. Note that whoami /groups will not reflect the new membership)At this point, it the system command prompt may be exited.
gpupdate /forcegpresult /h gpresult.htmlView the gpreport, it should now show the group policy is applied.
I think restaring the netlogon service does the same thing, not sure what the overall impact would be. Pretty sure that users would be temporarily disconnect users though.
On my domain only works this for a network drive: