Thursday, June 12, 2008

Kerberos Ticket Granting Ticket

One day - I was setting up WSUS and creating GPO that only applies (with Security Filtering) to a security group that has computer accounts as a member of. So I started adding computers to this new security group.

I waited... waited... and waited... but nothing happened on the WSUS console. Those computers that I added to the security group do not appear on the WSUS console.

I ran the gpresult and found out that the GPO has not been applied to the computer. I ran gpupdate /force so many time, but nothing was working.

It turns out that the computer would not know about its membership until the Kerberos TGT is renewed. To renew the ticket, the computer has to be restarted, wait for 7 days (default value) or use klist.exe to purge the ticket and renew it. Because the computer does not know anything about its new membership, the GPO wasn't applied to it.

To use KLIST, do the following:
  • get psexec.exe from MS SysInternals
  • get the klist.exe from Windows Resource Tool Kit
  • get the nltest.ext from Windows Resource Tool Kit
  • run the cmd.exe as a system shell:

psexec.exe /i /s /d cmd.exe

  • from that new cmd prompt, run:

klist tgt

  • check when was the ticket renewed
  • to purge the tickets, run:

klist purge

  • to renew the tickets, run:

nltest /dclist:

Then you can run gpupdate /force again to force the GPO and then run wuauclt.exe /detectnow to register the client to the WSUS