Kerberos ticket not refreshing for Admin account in Windows 10

Guillaume deW. 0 Reputation points
2023-12-04T15:52:41.6433333+00:00

Hello all !

I have an issue regarding a Kerberos ticket not refreshing correctly.

Context:
An AD group exists: MyComputer_AdminGroup. This group has been added in the local Administrators group. The admin account of a user (admin_user) has been added in the AD group. admin_user should now be admin of MyComputer. But he's not.

I added admin_user as local admin of the computer (not via AD) so he could run CMD.exe as admin and execute the command

whoami /groups

MyComputer_AdminGroup does not appear in all the groups listed by the command.

Connexion is made without VPN. 6 days have passed since the adding in the AD group. The computer has been rebooted many times.

What I've been trying to do:

klist purge
Deleting all tickets:
Ticket(s) purged!
→ Success

whoami /groups
→ Still the same result as before: no trace of 

klist
→ Success: 2 tickets are well in cache. Start and end time are correct.


The problem occurs randomly, for several computers and several users.

Could you help me understand why the Kerberos ticket isn't refreshed with the correct accesses ?

Thank you very much !

Guillaume

Edit:

I forget to mention that the Windows session isn't opened with the Admin account. It's opened with the non-priviledged account of the person.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,187 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 32,626 Reputation points
    2023-12-04T17:26:18.4833333+00:00

    Hi @Guillaume deW.

    I forget to mention that the Windows session isn't opened with the Admin account. It's opened with the non-priviledged account of the person.

    In this case when you launch whoami /groups , this command will shows the group of non-privileged account.
    and when you launch klist purge , you will purge the kerberos ticket of non-privileged account.

    If you want check the group of admin account you have to open a Windows session with admin account then you launch whoami /groups


    Please don't forget to accept helpful answer

    1 person found this answer helpful.

  2. Daisy Zhou 20,876 Reputation points Microsoft Vendor
    2023-12-06T06:26:42.28+00:00

    Hi Guillaume deW,

    Thank you for posting in Q&A forum.

    whoami /groups

    Displays the user groups to which the current user belongs.

    For more information about the command whoami, please check the link below.

    whoami | Microsoft Learn

    I have done a test in my lab:

    AD group: testgroup1, like MyComputer_AdminGroupdoes in your case.

    AD user: t2 (I added t2 to testgroup1and Administrators in domain), like admin_user in your case.

    AD user: t2-xiashu

    Local user in domain machine (member server): tt1

    I added testgroup1 to local Administrators group in domain machine (member server).

    ONLY when I sign in using domain account t2 on domain machine (member server) and run whoami /groups, I will see A\testgroup1.

    If I sign in using tt1 or t2-xiashu or A\administrator on domain machine (member server) and run whoami /groups, I will not see A\testgroup1.

    If you want to check the security list, you can also go to users and computers to check the local admin group members.

    You can also check below documents for Kerberos Authentication:
    How the Kerberos Version 5 Authentication Protocol Works: Logon and Authentication | Microsoft Learn

    Note: In my lab, all the users and domain machines are connected to domain.

    Hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou