none
"Refreshing" users group membership (vpn-connected client) RRS feed

  • Question

  • Hi together,

    I'm facing a problem regarding group-membership "refresh" on domain computers which connects to our corporate network through an SSL-VPN client only.
    Due to some restrictions we can't start this SSL-VPN client before the user login process.

    On such a windows client the users group membership doesn't match the group membership of the AD user account itself. Querying "whoami /groups" or gpresult displays an outdated state.

    After establishing the SSL-VPN connection a script is executed, which:
    * purge the local kerberos ticket (klist -lh 0 -li 0x3e7 purge)
    * purges the users kerberos ticket (klist purge)
    * runs gpupdate

    But neither of these commands has an affect. Even not after restarting the computer.

    Is there another option to "refresh" the groupmembership or am I misunderstanding the purge of the kerberos tickets?

    Thanks in advance.
    • Moved by Bill_Stewart Wednesday, September 4, 2019 7:45 PM Off-topic
    Monday, March 18, 2019 11:10 AM

All replies

  • You will need to post this in the SSL-VPN forum to learn how to configure the VPN correctly.  This is not a scripting issue.  It is a configuration and deployment issue.


    \_(ツ)_/

    Monday, March 18, 2019 1:52 PM
  • Hi jrv,

    thanks for your reply.

    My question is, if there is a possibility to "refresh" the group membership within a session (without logoff/login).

    As I wrote there are some (administrative) restriction why we are not able to connect to the VPN during logon process (even though it would be possible).

    Best regards
    Andreas

    Monday, March 18, 2019 3:04 PM
  • The answer is still no.  You must configure the VPN server and client correctly or be forced to log off and log on which will not help in this case since the VPN is per-session.  Using a per computer VPN should allow this to work correctly.


    \_(ツ)_/

    Monday, March 18, 2019 4:17 PM
  • Group membership is established at logon by assigning the accounts object called an access token that includes all its group membership. I believe you aren't going to establish this without logging off the user account. 
    Friday, March 29, 2019 7:25 PM