Update Computer Account Group Membership without Rebooting

Often times when working with SMS 2003 in advanced security mode the need arises to add computer objects to active directory groups. Normally for a computer account to become aware of the group membership change a reboot is required.  Often it is difficult to arrange for the scheduled downtime necessary to reboot a production server.

I've used the below procedure to update the computer's security token without rebooting.  This does take a bit of effort, but it doesn't involve rebooting your server.

  • Download the Klist utility. You'll need to install the .msi package and get klist.exe from the install directory.
  • Next you need to launch an interactive command prompt running as the system account

              Click Start -> Run ->  "AT <time> /i cmd.exe"  

  • (NOTE:   If you are trying to launch an interactive command prompt via a remote desktop session to your server you will need to be logged on to session 0 to see the command prompt.  You can do this by using the following command when connecting to the server.  "mstsc /console" )
  • When command prompt is launched.

               Run "klist purge"

  • Run Gpupdate /force


Your computer's security token should now be updated.