Purging Kerberos Tickets for All Accounts

by Apr 12, 2018

In the previous tip we covered klist.exe and how it can be used to purge all Kerberos tickets for the current user so that new permissions will take effect immediately.

While PowerShell can run external apps like klist.exe just fine, things become even more useful when you combine this with other PowerShell commands. This code gets you all logon sessions that do not use NTLM (i.e. Kerberos sessions):

Get-WmiObject -ClassName Win32_LogonSession -Filter "AuthenticationPackage != 'NTLM'"

Run it from an elevated PowerShell to see all logon sessions. And with just a minimal adjustment, you get the hexadecimal logon IDs:

Get-WmiObject -ClassName Win32_LogonSession -Filter "AuthenticationPackage != 'NTLM'" | 
ForEach-Object {[Convert]::ToString($_.LogonId, 16)}

To purge all cached Kerberos tickets for all available sessions, you could run this (from an elevated PowerShell):

Get-WmiObject -ClassName Win32_LogonSession -Filter "AuthenticationPackage != 'NTLM'" | 
ForEach-Object {[Convert]::ToString($_.LogonId, 16)} |
ForEach-Object { klist.exe purge -li $_ }

Twitter This Tip! ReTweet this Tip!