Maximum lifetime for user ticket (Windows)

Module: Active Directory

Supported Platforms: Windows 2000, Windows 2003, Windows 2008

This check reports a problem if this Kerberos Policy setting is higher than the recommended setting of 10 hours. This check is intended to run only on domain controllers to produce results for specific domains.

The following table lists the error messages for the check.

Table: Error messages for Maximum lifetime for user ticket

Message String ID and Category	Platform and Message Numeric ID	Message Title and Description	Additional Information
String ID: ESM_USER_TICK_LIFE_TOO_HIGH Category: Policy Compliance	Windows 2000 (108139) Windows 2003 (208139) Windows 2008 (251139)	Title: User ticket lifetime too high Description:When the value for this Kerberos Policy setting is too high, users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their accounts were disabled or they might be able to access network resources outside of their logon hours. It is recommended that the value for "Maximum lifetime for user ticket" be set to 10 hours.	Severity: yellow-2 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: ESM_USER_TICK_LIFE_NOT_SET Category: Policy Compliance	Windows 2000 (108140) Windows 2003 (208140) Windows 2008 (251140)	Title: User ticket lifetime not set Description:When the value for this Kerberos Policy setting is too high, users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their accounts were disabled or they might be able to access network resources outside of their logon hours. It is recommended that the value for "Maximum lifetime for user ticket" be set to 10 hours.	Severity: red-4 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_USER_TICK_LIFE_TOO_HIGH

Category: Policy Compliance

Windows 2000 (108139)
Windows 2003 (208139)
Windows 2008 (251139)

Title: User ticket lifetime too high

Description:When the value for this Kerberos Policy setting is too high, users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their accounts were disabled or they might be able to access network resources outside of their logon hours. It is recommended that the value for "Maximum lifetime for user ticket" be set to 10 hours.

Severity: yellow-2

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESM_USER_TICK_LIFE_NOT_SET

Category: Policy Compliance

Windows 2000 (108140)
Windows 2003 (208140)
Windows 2008 (251140)

Title: User ticket lifetime not set

Severity: red-4

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]