Re: Kerberos User Ticket Lifetime
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/05/05
- Previous message: Krackers Girl: "Re: XP Home Security Center"
- In reply to: Wong Tuck Wah: "Re: Kerberos User Ticket Lifetime"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 5 Aug 2005 07:21:49 -0700
Wong - as Joe has been saying, Account Policies receive special
handling, which is built into the binaries, so that it is single instanced
on the DCs and hence domain-wide and uniform.
Consider, how would things actually work out if it were allowed to
be different ? Is this ticket expired ? Is this password too old? too
short? etc. all would require conditional processing. Does not sound
too bad, but when you start to think of what it is that would have to do
this you realize it is asking the highly secured binaries in Winlogon
and other protected contexts of lsa to then interface with less secured
code, which is a failed design.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Wong Tuck Wah" <WongTuckWah@discussions.microsoft.com> wrote in message news:15724B34-8A60-483F-AC8C-5D04B3BBDFF1@microsoft.com... > What if my filtering is based on computer groups instead of users? > > "Joe Richards [MVP]" wrote: > > > Again this doesn't work. Account policy is a single instance thing on domain > > controllers. It is computer based, not user based. You could get it so one DC > > would have one policy and other would have a different policy but can only be > > accomplished by breaking the FRS and AD replication mechanisms so that policy > > doesn't properly replicate. > > > > -- > > Joe Richards Microsoft MVP Windows Server Directory Services > > www.joeware.net > > > > > > Wong Tuck Wah wrote: > > > Hmm... yes, the tricky part is the Kerberos is part of Account Policy. > > > > > > I always wonder whether we can create 2 GPOs with diifferent account policy, > > > and link them to the domain level. Using filtering to assign the specific > > > groups to the appropriate GPO so that they will get the right settings. > > > > > > I have simulated this steup and confirm using GP Modelling tool to show that > > > different groups do inherit the correct GP settings, including Account > > > Policy. > > > > > > I did not have time to try out whether users do rcv the right kerberos > > > settings, as I need to know the exact registry key and value they rcv before > > > and after applying the settings. This will then conclude my hypothesis. > > > > > > Any idea where is the excat path of the ticket cache? > > > > > > TIA. > > > > > > > > > "Joe Richards [MVP]" wrote > > > > > >>This policy can only be set at the domain level. > > >> > > >>-- > > >>Joe Richards Microsoft MVP Windows Server Directory Services > > >>www.joeware.net > > >> > > >> > > >>Kit wrote: > > >> > > >>>Hi, > > >>>In Windows 2000 Server and Windows Server 2003, is it possible to set > > >>>Maximum User Ticket Lifetime at a userid level, or only at the domain level > > >>>with the Maximum User Ticket Lifetime parm? I would like to have a domain > > >>>setting that would cover most of the users, and set a shorter ticket lifetime > > >>>on the users who are in the Administrators groups, but didn't see a way that > > >>>a shorter lifetime could be set on those individual userids to achieve that. > > >>>Anyone know if that's possible, and if so, how you'd do that? > > >>> > > >>>Thanks in advance! > > >>>- Kit > > >> > >
- Previous message: Krackers Girl: "Re: XP Home Security Center"
- In reply to: Wong Tuck Wah: "Re: Kerberos User Ticket Lifetime"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
