Specify groups to infinitely renew Kerberos credentials

Specify list of groups whose user members' Kerberos credentials require infinite renewal even after users have logged out.

The specified groups must be Active Directory groups (no need to be zone enabled). Group names should be in format e.g. "[email protected]".

All zone enabled users who are members of the groups specified, including members of any nested groups and the users whose primary group is set to one of the groups specified, will have their Kerberos credentials renewed (or reissued) automatically.

This group policy modifies the krb5.cache.infinite.renewal.batch.groups setting in the Centrify DirectControl configuration file.

Supported on:

Skip items whose name is

Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Kerberos
Value Name{number}
Default Value


Administrative Templates (Computers)

Administrative Templates (Users)