I am remotely removing a user U from a Group G. But I have to log off and log on the user U to ensure that permissions for Group G do not apply any more to User U.
This is on a Windows 2008 server.
Is there a way to force the entire exer开发者_如何学运维cise of calculating permissions (which is done when a user logs in) while the user is logged in?
Thanks in advance.
You can purge the Kerberos TGT (and all your service tickets) using something like klist purge. I don't know what APIs to call to do this programmatically.
This will just refresh the groups (and rights) in your token when you access remote resources, though.
The list of groups SIDs a user belongs to is computed in the user token, which is inserted in his processes, so in my opinion, you need the logoff/logon.
You can find the source of Klist.exe discribed by @Brian Desmond in the Windows Platform SDK (the API in us is LsaCallAuthenticationPackage)
C:\Program Files\Microsoft SDKs\Windows\v7.0\Samples\security\authorization\klist
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论