GPO – Kerberos Policies

What are Active Directory Kerberos Policies?

Kerberos remains the default authentication protocol in the active directory environment. There are five kerberos policies that directly relate to active directory authentication. These policies are supposed to be configured at the default domain level. Let’s walk through each of these policies in brief.

1. Enforce User Logon Restriction – The policy ensures that every user who requests for a user ticket is validated against the user rights settings on the target computer. A user ticket (TGT) is a certificate issued by Active Directory (KDC) that allows user to request service ticket. The user must either have “allow logon locally” or “access this computer from the network” rights on the target computer. This policy is enabled by default.


2. Maximum life time for Service Ticket – Defines the maximum time the service ticket stands valid. The default value is set to 600 mins. You can set service tickets to never expire by setting the value to zero.

3. Maximum life time for user ticket – Specifies the time for which the user ticket stands valid. Default value is 10 hours that is equal to default life time of service tickets. If set to zero, user ticket would never expire.

4. Maximum lifetime for user ticket renewal – AD DS can renew a user ticket (ticket granting ticket) when it nears the end of its validity period. This policy determines the time (in days) during which a user ticket (TGT) may be renewed. Default is seven days.

5. Maximum tolerance for computer clock synchronization – The policy determines the maximum time difference that can exist between the time on client computer and the time on the authenticating domain controller.It should be notes that Computers measure this difference in universal time rather than using local time zone settings. The default is 5 mins.

Although the default policy settings are appropriate for most of the environments, these policies can be made more stringent by decreasing user and service ticket lifetimes. However on the other side this creates more processing load on the domain controller.

11 thoughts on “GPO – Kerberos Policies

    1. dips1213 Post author

      I have been using it for long time with the default settings.
      I’ll try to figure out if I can enable the subscribe button from somewhere.:-)


  1. Pingback: GPO – Password and Account Lockout Policy | Wintel Geeks

  2. BrentSRoscoe

    Excellent post however I was wanting to know if you could write a litte more
    on this topic? I’d be very grateful if you could elaborate a little
    bit further. Appreciate it!

  3. DamianPSawka

    Hi there! I recently wished to ask should you ever possess
    problems with hackers? My last blog (wordpress) was hacked
    and that i wound up losing months of hard work as a result of no support.
    Do you possess any solutions to control hackers?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s