Windows 10: Force logged on user to update its local group membership

Question

Is there a way to force a user to gain newly given local rights, without requiring the user to login again?

Assume the following scenario:

A computer is part of a Windows Domain environment. The user DOMAIN\JOHN logs on his computer, JOHNPC. The DOMAIN\Domain Users group is part of the local "Users" group on JOHNPC. So John is allowed to log onto the PC as a regular user.

If we then to remotely add John to the "Administrators" group of JOHNPC:

psexec \\JOHNPC net localgroup Administrators /add DOMAIN\JOHN

This works. If the still logged on JOHN executes

net localgroup Administrators

He will see himself as a local administrator. However, Windows does not reflect this. John is unable to run any elevated programs despite being a local admin. We notice he has to log off and log on again for Widnows to recognize his newly given local Administrator rights.

Is there a way to force this behaviour to update while John remains logged on?

Answer 1

Not possible. When the user logs on, an Access Token is created (well, since UAC it’s technically two for elevated/non-elevated). The token is immutable. It contains an immutable copy of all privileges held by the token.

These tokens are usually inherited between processes, except with elevation.

The only way to get a new token is to log in again. You can also use runas for this purpose, even to restart explorer.exe. But any running processes will retain their old tokens.