Information Technology Reference
In-Depth Information
Maximum Lifetime For Service Ticket The maximum time (in minutes) that a
service ticket is valid to access a particular service. The default is 600 minutes.
Maximum Lifetime For User Ticket The maximum time (in hours) that a ticket
granting ticket is valid. The default is 10 hours.
Maximum Lifetime for User Ticket Renewal The maximum amount of time (in
days) that a ticket granting ticket can be renewed. The default is seven days.
Maximum Tolerance For Computer Clock Synchronization The maximum differ-
ence (in minutes) between a client clock and a domain controller clock that is allowed
before a timestamp is considered not authentic. The default is five minutes.
Thought experiment
Enabling fine-grained password policies
In this thought experiment, apply what you've learned about this objective. You can
find answers to these questions in the “Answers” section at the end of this chapter.
You are the network administrator for TreyResearch.net. The Default Domain
Password Policy is for a minimum 8-character password with enforced complexity
that is changed at least once per quarter. Management determines that this policy
is insufficient for users with access to sensitive information, including Human Re-
sources, Finance, and Administration users, as well as key management personnel in
Engineering. It has mandated that a minimum password length of 15 characters and
a maximum age of 35 days is necessary and appropriate while further research is
done on the cost and suitability of moving to two-factor authentication (TFA). You
need to implement these changes without affecting other users.
1. What options do you have for giving these users password policies different
from the default policy?
2. How would you implement this change?
Objective summary
The Default Domain Policy sets the baseline for all other password policies.
Individual PSOs can be assigned to security groups in Active Directory.
You can see the resultant password setting for an object with the Active Directory
Administrative Center.
Account lockout policies are set with the Default Domain Policy and any additional
PSOs that apply.
Use the Delegation of Control Wizard in the Active Directory Users and Computers to
delegate password resetting permission.
 
 
Search WWH ::




Custom Search