Share via

Change NTFS permissions to the shared folder without LogOff

OZ 286 Reputation points
2024-04-07T07:46:53.19+00:00

I have a shared folder that 10 users have Modify access to. I want to place all these users in a separate group and give this group Modify access to the folder, and remove the users from NTFS. I know that all 10 users will have to logoff and login again. I also know that it’s possible to issue a new Kerberos ticket by killing the old one, or simply launch a new explorer through runas under the same user. But I also heard that users can simply wait 10 hours without logging off and a Kerberos ticket will be issued automatically and the user will have access to the folder. In this case, it would be possible to do all the actions in the evening, and in the morning nothing would change for the user. I did an experiment with a test user who first had direct access to a folder, then I removed the user from the NTFS permissions folder, placed him in a group and gave that group the same access. As a result, the user lost access to the folder, I waited until the morning (12 hours passed) and nothing changed - access did not appear. When I did LogOff/LogOn, access appeared. In this regard, two questions:

  1. Why couldn’t you just wait 10 hours?
  2. If suddenly there is a computer (or rather a server) with access to the folder, do I need to reboot this computer after I remove it from the NTFS folder and place it in a group with access? If this is so, then everything becomes even more complicated.
Windows for business | Windows Server | User experience | Other
0 comments
Answer accepted by question author
  1. Anonymous
    2024-04-08T02:14:18.24+00:00

    Hello OZ,

    Thank you for posting in Q&A forum.

    From the link below, I can see:

    How long a ticket is valid depends on the policy for the realm. Although the RFC recommends a maximum ticket lifetime of one day, in both MIT Kerberos 5 Release 1.3.1 and the Windows 2000 or Windows Server 2003 implementations of the Kerberos protocol, tickets are good for no longer than 10 hours by default, about the length of a normal logon session. When the user logs off, the credentials cache is flushed and all service tickets—as well as all session keys—are destroyed.

    It seems the logoff is needed for you flush the credentials cache.

    For more information, you can read link below.

    How the Kerberos Version 5 Authentication Protocol Works
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)?redirectedfrom=MSDN

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 36,491 Reputation points Moderator
    2024-04-07T09:25:05.25+00:00

    Hi

    The list of SID of user group memberships are added in PAC . The PAC is an extension of kerberos token .

    So when you change a group membership of a user , you should wait the expiration of user Kerberos tickets in the cache or ask user to log off and logon again or ask user to launch this command in order to purge all Kerberos tickets in the cache to renew all Kerberos tickets with information added to PAC in the cache

    klist purge

    Please don’t forget to accept helpful answer

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.