Why sometimes is required to log off and log on back again adding a group to a user

security windows-server-2008-r2 uac
11,906

You mention local users and groups, so setting aside Active Directory.

You should always need to re-authenticate in order for the user's security token to contain the new group membership. This typically means you need to re-login. LSASS only hands this token out when the user authenticates, which is usually only at logon but you can do something like C:\> runas /user:Yourself cmd.exe and that will prompt you for your password and you will go through authentication again and your new group membership will be picked up. (But I cannot guarantee that any other running applications that may have queried for your group memberships are going to refresh their data without restarting those applications, etc.)

(Not mentioning klist.exe because we are only talking about local users and groups.)

This article is pretty much the authority on the matter.

When a user is authenticated, the Local Security Authority (LSA) creates an access token — in this case, a primary access token — for that user. An access token contains a security identifier (SID) for the user, all of the SIDs for the groups to which the user belongs, and the user’s privileges. If you add a user to a group after the user’s access token has been issued, or modify privileges assigned to the user account, the user must log off and then log on again before the access token will be updated.

Whenever a thread or process interacts with a securable object or tries to perform a system task that requires privileges, the operating system checks the effective access token to determine its level of authorization. If a thread is impersonating, the effective token is usually taken to be the token on the thread. If a thread interacting with the securable object is not impersonating, then the token on the process is examined for the access decision.

Thus, there are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation access tokens, on the other hand, are usually used for client/server scenarios. Impersonation tokens enable a thread to execute in a security context that differs from the security context of the process that owns the thread.

Share:
11,906

Related videos on Youtube

user1034912
Author by

user1034912

Updated on September 18, 2022

Comments

  • user1034912
    user1034912 over 1 year

    In Windows systems (particularly Windows Server 2008R2 which I an using), sometimes when I add a local user to a local group, the user needs to log-off and log-on back again before this new group is registered to him.

    But Sometimes as well, the group registration is done immediately.. without the user having to log-off and log-on back again..

    why is this so?

  • user1034912
    user1034912 over 10 years
    Thanks for the explanation. But sometime I don't need to authenticate. It just works when I add in a user to a group. It's really funny....
  • Ryan Ries
    Ryan Ries over 10 years
    Lots of things can go on in the background that silently cause authentications without you knowing it. Windows Services doing impersonations, scheduled tasks, etc. An application that queries the group membership directly instead of querying the currently logged on user's token can also get around this.
  • charleswj81
    charleswj81 over 10 years
    @RyanRies: One nitpick on the the runas trick: the new token will only apply to the process you launch and its children. Any existing processes or children of those processes will continue to inherit the original token.
  • Ryan Ries
    Ryan Ries over 10 years
    @charleswj81 Agreed - a full logoff/logon is best.
  • John K. N.
    John K. N. over 7 years
    Could you add a short explanation in reference to the source. Just in case the video gets deleted. Would be bad to have an answer without any information.
  • Moiz Tankiwala
    Moiz Tankiwala over 7 years
    I have added as you suggested @hot2use. Please remove the -1

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Run .NET application as administrator
How can I Install ActiveX in Windows 2008 R2?
Should I encrypt a hardware RAID5 on my homeserver? How?
Disable UAC and XP Pro 32 Bit
How can I get around "error 0x80070522" when creating files in the root of the C drive (C:\)?
Windows - Decrypt encrypted file when user account is destroyed
How do I disable administrator prompt in Windows 8?
Anonymous Authentication <anonymousAuthentication> / 403 - Forbidden: Access is denied
Windows UAC disabled but I'm still getting the elevation pop-up
Best practices for hardening/locking down Windows Server 2008 R2 for use as web server?