One of the challenges of using security groups for computer account administration is that, like users, computer accounts determine their group membership at logon, which for a computer happens at boot time.
What if you need to update a computer’s group membership when the computer is away from the network?
The GPO was limited to a security group, and even though the remote workstation was in that group, the system itself didn’t know that because it was working on cached information. I needed to force Windows to reevaluate its group membership while connected to the VPN.
This can be accomplished by purging the Kerberos ticket cache.
Open an elevated command prompt and run: klist -lh 0 -li 0x3e7 purge
Then run: gpupdate /force
Sign Up To Unlock This Free Premium Content!
PEI’s top read articles are viewed hundreds of times a week by members of our mailing list. Subscribe today to view this article and join more than 5,000 professionals taking advantage of our premium content with access to the latest technology articles, videos, tech tips, and more!
You have Successfully Subscribed!
The computer will then re-evaluate its group membership and apply the appropriate GPOs, including the much needed DirectAccess GPO.
Shane Skriletz, PEI