Configure Kerberos policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To configure Kerberos policy

Open Active Directory Users and Computers.
In the console tree, right-click the domain or organizational unit for which you want to set Group Policy.
Click Properties, and then click the Group Policy tab.
Do one of the following:
- To edit an existing Group Policy object (GPO), in Group Policy Object Links, click the GPO that you want to edit, then click Edit.
- To create a new GPO, click New, type the name of the new GPO, and then click Edit.
In the console tree, click Kerberos Policy.

Where?
- Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy
In the details pane, double-click the Kerberos policy you want to modify.
Modify the policy, and then click OK.

Notes

To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
Any modifications to Kerberos policy will affect all the computers in the domain.
The Kerberos policies in the Windows Server 2003 family refer to the ticket-granting ticket as a user ticket.

Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.