How are the Kerberos Tickets updated when the security group membership is changed ?

Overview

This article provides instructions on configuring the SYNERGIX AD Client Extensions Kerberos Tickets Management feature to refresh Kerberos Tickets soon after the user or computer object security group membership is updated.

 

More Information

SYNERGIX AD Client Extensions software enables the listener component that monitors security group membership changes on the user object or computer object.  You may allow the software to listen to change on multiple domain controllers ( up to 20 DCs ) or specific domain controller.

 

Procedure

  1. Log into a domain computer with a user account that has privileges to modify Group Policy Objects in Active Directory. 
  2. From Windows Start button, select Programs \ Administrative Tools and launch "Group Policy Management Console"  program or run GPMC.MSC.
    1. If you are operating Windows 7.0 domain computer, you must have RSAT installed to start GPMC.MSC
    2. If you are operating Windows XP domain computer, you must have Group Policy Management console installed.
  3. Select the Group Policy Object used to configure SYNERGIX AD Client Extensions settings.
  4. Right mouse click on the Group Policy Object and then, from the context menu, select EDIT item.
  5. In Group Policy Editor, expand Computer Configuration \ Administrative Templates \ Synergix AD Client Extensions \ Security Settings
  6. Select "Kerberos Tickets Management" group policy setting.  Double click on the setting to bring up properties dialog box.
  7. Select "Enabled" radio button to enable and then, configure feature settings.
  8. Select "Purge Kerberos Tickets Upon User Membership Change"
  9. Select "Purge Kerberos Tickets Upon Compuer Membership Change"
  10. Optionally, select "Display Notification to User"
  11. Set "Recycle Notification Interval ( in min )" to 60 ( default value )
  12. Under "Domain Controllers to bind to for listening, type the FQDN of the Active Directory domain.  You can enter specific domain controller FQDN or multiple domain controllers FQDN. 
    1. When the FQDN of the Active Directory domain is used, the feature will listen to max 20 DCs in the domain.
    2. To limit the listener to one DC only, use FQDN of specific DC.  In such cases, the user object or computer object may be updated ( group membership updates ) on the specified DC only.
    3. When entering multiple domain controllers' FQDN, you may use a semi colon ';'  character to separate the entries. 
  13. Close Group Policy Editor.
  14. Wait for replication cycle to complete and for the Group Policy Object changes to replicate on all domain controllers.
  15. Log into your workstation.
  16. Run GPUPDATE /force command to force down the policy changes.
  17. Launch REGEDIT and check the entries under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Synergix\ADCE\Security Settings\Advanced Kerberos Tickets Management.  
  18. If the registry entries are present, it confirm the policy changes were applied.  If not, wait until the policy changes are applied before proceeding with next step.
  19. Close AD Client Extensions client applications.  From the system tray icon, hover over the ADCE icon, right mouse click on it and close the client application.
  20. From Program Files\Synergix\ADCE, locate the client application executable and start it again.
  21. When the client application is relaunched, it will listen to changes that occur on computer and on user object.
 

Test Scenario

N/A

References

N/A

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk