Re: Kerberos User Ticket Lifetime

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 08/04/05 

Date: Wed, 03 Aug 2005 19:13:44 -0400

Again this doesn't work. Account policy is a single instance thing on domain
controllers. It is computer based, not user based. You could get it so one DC
would have one policy and other would have a different policy but can only be
accomplished by breaking the FRS and AD replication mechanisms so that policy
doesn't properly replicate. 

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Wong Tuck Wah wrote:
> Hmm...  yes, the tricky part is the Kerberos is part of Account Policy.
> 
> I always wonder whether we can create 2 GPOs with diifferent account policy, 
> and link them to the domain level. Using filtering to assign the specific 
> groups to the appropriate GPO so that they will get the right settings.
> 
> I have simulated this steup and confirm using GP Modelling tool to show that 
> different groups do inherit the correct GP settings, including Account 
> Policy. 
> 
> I did not have time to try out whether users do rcv the right kerberos 
> settings, as I need to know the exact registry key and value they rcv before 
> and after applying the settings. This will then conclude my hypothesis.
> 
> Any idea where is the excat path of the ticket cache?
> 
> TIA. 
> 
> 
> "Joe Richards [MVP]" wrote
> 
>>This policy can only be set at the domain level.
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>Kit wrote:
>>
>>>Hi,
>>>In Windows 2000 Server and Windows Server 2003, is it possible to set 
>>>Maximum User Ticket Lifetime at a userid level, or only at the domain level 
>>>with the Maximum User Ticket Lifetime parm?  I would like to have a domain 
>>>setting that would cover most of the users, and set a shorter ticket lifetime 
>>>on the users who are in the Administrators groups, but didn't see a way that 
>>>a shorter lifetime could be set on those individual userids to achieve that.  
>>>Anyone know if that's possible, and if so, how you'd do that?
>>>
>>>Thanks in advance!
>>>- Kit
>>

Relevant Pages

  • Re: GPO Password Policy Settings
    ... Sounds like you applied the account policy to the OU? ... The policy has the following settings: ... These are the only settings defined in this GPO object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password Maximum Age
    ... The Account Policy settings are domain specific. ... > I'm trying to set the maximum password age in my sub- ...
    (microsoft.public.win2000.group_policy)
  • Re: password length
    ... there can be only one account policy. ... local account policies can be different from the domain account policy, ... as when you define an account policy specifically for the local accounts. ...
    (microsoft.public.windows.server.setup)
  • Re: IS this a true statement about block inheritance at Domain Con
    ... policies applied to them the same as workstations. ... > even though the account policy information is a computer policy and not a ... >> Only accounts within the domain controllers ou would not inherit. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Account policy works only at domain level
    ... That is by design and one of the few settings that do not work like other GP ... account policy can only be configured at the domain level ...
    (microsoft.public.win2000.group_policy)