Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Kerberos ticket size

Status
Not open for further replies.
kochg

kochg

IS-IT--Management
Apr 2, 2002
51
0
0
BE
Hi,

I will describe my problem:

-I make a new user on the (W2K) server, and place it in the domain admins group for example. The user is now member of 2 group: domain users and domain admins. If the user logs on on a pc (XP) in the domain, he is also local admin on that machine.

-I make 100 global security groups and add them to the membership list of the created user.

-Then the user logs on again (as domain admin) to a machine and strange things happen: the user can still see the security log in event viewer for example, so you might think he is admin, but when he tries to install an application (Adobe InDesign for example), the application says the user is no local adminstrator and doesn't install (and it did install before adding the groups). folder redirection also seems a related issue, as the My Documents folder doesn't point to the defined path anymore.


I added the key in the registry as described in Technet article 263693, but this didn't help (also received the patch from MS, but it won't install because the server is already on SP3).

I'm convinced it has something to do with the Kerberos ticket size so I hope someone can help me with this.

Thanks in advance!

G
 
Sort by date Sort by votes
First check again that none of those groups are in a deny list. Deny, you know, has always priority.
About Kerberos, indeed there is maximum number of groups... so,.. try using NTLMv2 for authentication.
How to set NTLM? Below I was trying to make a short procedure:
Via group policy:
Group Policy Container\Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options\LAN Manager\Authentication Level.

It will change the key:
HKLM\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel

That should have one of the values:
0 (send LM & NTLM responses).
1 (Send LM & NTLM–use NTLMv2 session security if negotiated).
2 (Send NTLM response only).
3 (Send NTLMv2 response only).
4 (Send NTLMv2 response only\refuse LM).
5 (Send NTLMv2 response only\refuse LM & NTLM).

Choose one that is good for you.
Indeed pitty that kerberos is so limited... but, maybe you can achieve more redesigning your groups, and how they are nested.

Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, MCSE Win2K
 
Upvote 0 Downvote
Thanks for the reply,

No, the groups are newly created, without any deny on one of them. The problem starts already at more that 40 group memberships, and that's very low.

Using NTLM is not really an option. For security reasons, Kerberos must be used (not my call).

I opened a call at Microsoft. Lets see what they think...

Kind regards,

G
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

scmoh
  • Locked
  • Question
Change Cluster size without formatting
Replies
0
Views
48
scmoh
scmoh
robatwork
  • Locked
  • Question
SYSTEM PARTITION size
Replies
1
Views
38
ShackDaddy
ShackDaddy
SpenceWaller
  • Locked
  • Question
Quick Launch Bar - Change Size Automatically
Replies
0
Views
23
SpenceWaller
SpenceWaller
people3
  • Locked
  • Question
2008 kerberos Error 4
Replies
0
Views
25
people3
people3
amanua
  • Locked
  • Question
Event ID 29-Kerberos Key Distribution Center
Replies
0
Views
27
amanua
amanua

Part and Inventory Search

Sponsor

Back
Top