Set password change verification attempts

Specify the number of times that adkeytab attempts to verify password changes after an initial, failed attempt.

Some environments, such as those using a read-only domain controller (RODC), can experience replication delays that may prevent Kerberos password changes to be verified through adclient. As a result of this delay, the new password may not be saved to the keytab file.

Increasing the number of verification attempts can address replication delays that may result from having a read-only domain controller.

This group policy modifies the adclient.krb5.password.change.verify.retries setting in the agent configuration file.

The default setting is 0, which means that adkeytab does not attempt additional password verification attempts after the initial failure.