How to update user´s Token, updating group membership over user-initiated VPN?

How to update user´s Token, updating group membership over user-initiated VPN?

The problem:

Users are at Home and first they logon at their machines using cached credentials and only AFTER the login, they start the VPN conenction proccess. But later, the user is added to a new group. How to reflect the change on the user´s session?

So, the scenario is:

1) user belong to the "Domain Users" group and nothing more

2) user goes Home

3) User power on the PC/Notebook at home and Log in using a cached credential, yet, he´s only a member of the "Domain users" group

4) User asks for a privilege to access a folder or application

5) IT dept. add the user to a new group: "HR_GlobalGroup"

6) The user must Logoff and logon to be considered in the New group.. but... If the user logs off, the vpn conenction is dropped and even if the user logs on again, he´ll again, log as cached credential and therefore, the Security Token is not going to be updated, again, the user is a member only of the "Domain Users" group, because  during the logon procces he´s not connected to the AD/DC environment to validate the new group.

So. looking to the future, Home Office for everyone.. how to give users new Security  Tokens without Logoff/login again?

The first idea comes to mind: To create the VPN connection as local admin and try to start the VPN connection within the Login proccess, but these approach will not work at any time or because some VPN dial sofwtares are not ready to be used before the user logs in, and also because sometimes, users are connecting using Home Wifi networks  and wifi is available only after Login

So.. what should I do?

I want an "ellegant" solution, because killing explorer.exe is risky and ugly!

I also tried two approaches using klist but i can´t find a way to use it, beside some people arround saying that is possible:

klist -lh 0 -li 0x3e7 purge
klist tgt

or

klist purge
klist tgt
gpupdate /target:user

===========

This approach works, but i think it´s a last resort option:

taskkill.exe /F /IM explorer.exe
runas /user:%USERDOMAIN%\%USERNAME% explorer.exe

There is worst solution and i´m not willing to recommend it either:

Use runas to open a new command prompt and start new proccess from this new cmd.. the ugliest solution of all times!