Dj Merrill wrote: > That makes sense, thanks for the pointer! > > If I create a registry entry > HKLM\Software\MIT\Leash,lifetime > and give it the same 1500 value as the > HKCU\Software\MIT\Leash,lifetime > things seem to work as expected (25 hour tokens obtained > with integrated login). Sweet! :-)
That is one of the one you could have used. > Or were you referring to another type of > system-wide default? > > Using the above HKLM setting should suffice for > any of the machines that we administer directly. > I'm not quite sure what to do with all of the student owned machines, > though, but we are significantly farther ahead than we were. > The majority of them most likely won't be using integrated login, > so the problem set is now significantly reduced. > > Thanks for your help! :-) > > -Dj To be honest though. I don't know what you are attempting to acheive here. If you give permissions for your users to obtain TGTs that have lifetimes longer than 25 hours, your users can obtain tickets and therefore tokens that have lifetimes longer than 25 hours. If you want to only allow a subset of your users to obtain tickets with lifetimes longer than 25 hours, you should be placing these limits in the KDB. The lifetimes set in the registry are defaults that are designed to be altered by the end user via Leash and do not apply at all to tickets obtained via other tools. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
