*чуть позже переведу 🙂
This might be very useful for certain situations where you want to update a user’s or computer’s group membership without the need to re-logon / restart. The whole magic is behind the issued kerberos tickets after you logged on to a machine or a machine has been started. The tool “klist.exe” cannot only be used for troubleshooting to display the current issued TGT / TGS, it is also capable to purge all current tickets. The purge command results in a re-issuance of the tickets, as soon as the next auth or service request is taking place. Keep in mind that this method only works for services which authenticate via Kerberos. NTLM based authentication still requires a fresh logon with updated group membership token.