question

Hello @BojanZivkovic-7448,

Thank you for your question and reaching out.

Group membership forms part of the user's Kerberos token as far as I'm aware. This can only be generated on login which is why you must have users to logout and back in again for the new group memberships to take effect.

Filesystem permissions apply at the moment you hit "Apply". I would do as you say and join users to the group, wait a day, and then remove the individual user permissions.

The reason your users will need to log out and back in again is because the security token for that group membership on the user object doesn't exist yet. Basically, you're right; you'll need to have your users log out to get this security token. The best method is to add them, then wait until you're confident they've gone through this process.

But...if you can initiate re-authentication manually, This typically means you need to re-login. LSASS only hands this token out when the user authenticates, which is usually only at logon but you can do something like C:\> runas /user:YouProgram.exe a".

Or as a workaround that avoids the hassle of login logoff.

1. Open Command Prompt Kill

2. Kill explorer.exe process (It will only kill the windows explorer. All your other applications are safe). ( You can do it remotely using psexec from Sysinternals )

3. In the command prompt type the following command: runas /user:DOMAIN\ explorer.exe

You will be prompted to enter your password. Enter your password.

---

--If the reply is helpful, please Upvote and Accept as answer--

Here I am more worried about them still having local admin rights on servers because Kerberos ticket still has them as members of AD group despite the fact that AD group membership expired (TTL).