HomeSupercharger KBGetting StartedHow To Purge Kerberos Ticket via Group Policy using Klist

2.6. How To Purge Kerberos Ticket via Group Policy using Klist

NOTE:  This article is applicable not only to WEC/WEF but also for normal Active Directory use when you want to force a computer to see that it has been added to a new group.   

Our recommendation is to add forwarding endpoints in to an AD group and then add that group to the Allowed Forwarders in your subscription settings in Supercharger.  It's much easier to manage a group with thousands of endpoints than to manage endpoints individually.  The problem is a delay in AD.  When a computer is added to a group in AD it doesn't know that it's been added until one of two things happen:

1. The computer is rebooted
2. The Kerberos ticket cache is cleared, which does not require a reboot.

Below are the steps to perform the clearing of the Kerberos ticket cache via Group Policy so that this does not have to be performed manually on each endpoint.

1. In Group Policy Management, right click on the target GPO and select "Edit".

2. Navigate to Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks


3. Right click and select "New" and then "Immediate Task (At least Windows 7)".

4. Name the task.

5. Click on "Change User or Group" and make sure "From this location" is using the correct domain. Type "system" in the name box and then click on "Check Names".

6. Make sure SYSTEM is selected and click "OK".

7.  You should now have "NT AUTHORITY\System" as the user account. Also make sure "Run whether user is logged on or not" and "Run with highest privileges" are both selected.

8. Click on the "Actions" tab and select "New...".  Enter "%systemroot%\system32\klist.exe" in the Program/script box.  Add "-lh 0 -li 0x3e4 purge" in the "Add arguments(optional)" box.  Click "OK".

9. Click on the "Common" tab and check "Apply once and do not reapply." and "Item-level targeting." Then click the "Targeting..." button.

10. Click on the "New Item" dropdown and select "Date Match".

11. Select "On date" in the dropdown and use today's date.

12. Click "OK" and click "OK" again to create the task.

13. The task will now be applied on the next Group Policy update.  
TIP - If your domain controller is running on Windows 2012 R2 you should be able to right click on the OU in Group Policy Management and tell the DC to run a Group Policy Update.

This page was: Helpful | Not Helpful