Published: May 25, 2011
Updated: April 17, 2012
Applies To: Windows Server 2008 R2
Maps the name of a Kerberos principal to an account. For examples of how this command can be used, see Examples.
An account can be specifically identified, such as domain guests. Or you can use the wildcard character (*) to include all accounts.
If an account name is omitted, mapping is deleted for the specified principal.
The computer will only authenticate the principals of the given realm if they present valid Kerberos tickets.
Use ksetup without any parameters or arguments to see the current mapped settings and the default realm.
Whenever changes are made to the external Key Distribution Center (KDC) and the realm configuration, a restart of the computer where the setting was changed is required.
Map Mike Danseglio's account within the Kerberos realm CONTOSO to the guest account on this computer, granting him all the privileges of a member of the built-in Guest account without having to authenticate to this computer:
ksetup /mapuser mike@corp.CONTOSO.COM guest
Remove the mapping of Mike Danseglio's account to the guest account on this computer to prevent him from authenticating to this computer with his credentials from CONTOSO:
ksetup /mapuser mike@corp.CONTOSO.COM
Map Mike Danseglio's account within the CONTOSO Kerberos realm to any existing account on this computer. (if only the standard user and guest accounts are active on this computer, Mike's privileges will be set to those):
ksetup /mapuser mike@corp.CONTOSO.COM *
Map all accounts within the CONTOSO Kerberos realm to any existing account of the same name on this computer:
ksetup /mapuser * *