Specify groups to infinitely renew Kerberos credentials

Specify a list of Active Directory groups whose members’ Kerberos credentials require infinite renewal even after the users have logged out. Groups that you specify must be Active Directory groups, but do not need to be zone enabled. However, only zone enabled users in a group will have their credentials automatically renewed.

If this group policy is Enabled, group member’s credentials are renewed automatically. You must use the following format to specify groups when you enable this group policy:


For example:


By default, this group policy is disabled.

This group policy modifies the krb5.cache.infinite.renewal.batch.groups setting in the agent configuration file.