Re: Kerberos User Ticket Lifetime

From: Wong Tuck Wah (WongTuckWah_at_discussions.microsoft.com)
Date: 08/03/05 

Date: Tue, 2 Aug 2005 20:51:19 -0700

Hmm... yes, the tricky part is the Kerberos is part of Account Policy.

I always wonder whether we can create 2 GPOs with diifferent account policy,
and link them to the domain level. Using filtering to assign the specific
groups to the appropriate GPO so that they will get the right settings.

I have simulated this steup and confirm using GP Modelling tool to show that
different groups do inherit the correct GP settings, including Account
Policy.

I did not have time to try out whether users do rcv the right kerberos
settings, as I need to know the exact registry key and value they rcv before
and after applying the settings. This will then conclude my hypothesis.

Any idea where is the excat path of the ticket cache?

TIA.

"Joe Richards [MVP]" wrote
> This policy can only be set at the domain level.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Kit wrote:
> > Hi,
> > In Windows 2000 Server and Windows Server 2003, is it possible to set
> > Maximum User Ticket Lifetime at a userid level, or only at the domain level
> > with the Maximum User Ticket Lifetime parm? I would like to have a domain
> > setting that would cover most of the users, and set a shorter ticket lifetime
> > on the users who are in the Administrators groups, but didn't see a way that
> > a shorter lifetime could be set on those individual userids to achieve that.
> > Anyone know if that's possible, and if so, how you'd do that?
> >
> > Thanks in advance!
> > - Kit
>

Relevant Pages

  • Re: Kerberos User Ticket Lifetime
    ... Account policy is a single instance thing on domain ... the tricky part is the Kerberos is part of Account Policy. ... > groups to the appropriate GPO so that they will get the right settings. ... >>>with the Maximum User Ticket Lifetime parm? ...
    (microsoft.public.security)
  • password policy bypass on stand-alone system
    ... password on a stand-alone system even if the Security ... Settings - Account Policy - Password Settings are set for ... users from the Admin Tools, but does not work if you add ...
    (microsoft.public.win2000.security)
  • Re: Account policy works only at domain level
    ... > That is by design and one of the few settings that do not work like other ... account policy can only be configured at the ... >> I've tried to create an account policy for limit password change limits ...
    (microsoft.public.win2000.group_policy)
  • Re: Account policy works only at domain level
    ... How can i enforce on local user accounts for computers in that OU? ... > That is by design and one of the few settings that do not work like other ... account policy can only be configured at the ...
    (microsoft.public.win2000.group_policy)
  • Re: Win2K - Account Lockout Policy
    ... actually the lock out account policy is part of the account policy ... and the effective account policy must be set on the domain level not on the ... > A W2K client should be able to view the local security policy. ... > settings for the policy should come down from the domain controller. ...
    (comp.os.ms-windows.nt.admin.security)