Maximum lifetime for user ticket renewal (Windows)

Module: Active Directory

Supported Platforms: Windows 2000, Windows 2003, Windows 2008

This check reports a problem if this Kerberos Policy setting is higher than the recommended setting of 7 days. This check is intended to run only on domain controllers to produce results for specific domains.

The following table lists the error messages for the check.

Table: Error messages for Maximum lifetime for user ticket renewal

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_USER_TICK_RENEW_TOO_HIGH

Category: Policy Compliance

  • Windows 2000 (108141)

  • Windows 2003 (208141)

  • Windows 2008 (251141)

Title: User ticket renewal lifetime too high

Description:When the value for this Kerberos Policy setting is too high, users might be able to renew very old user tickets. It is recommended that the value for "Maximum lifetime for user ticket renewal" be set to 7 days.

Severity: yellow-2

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESM_USER_TICK_RENEW_NOT_SET

Category: Policy Compliance

  • Windows 2000 (108142)

  • Windows 2003 (208142)

  • Windows 2008 (251142)

Title: User ticket renewal lifetime not set

Description:When the value for this Kerberos Policy setting is too high, users might be able to renew very old user tickets. It is recommended that the value for "Maximum lifetime for user ticket renewal" be set to 7 days.

Severity: red-4

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]