Specify the number of times that
adkeytab attempts to verify password changes after an initial, failed attempt.
Some environments, such as those using a read-only domain controller (RODC), can experience replication delays that may prevent Kerberos password changes to be verified through
adclient. As a result of this delay, the new password may not be saved to the keytab file.
Increasing the number of verification attempts can address replication delays that may result from having a read-only domain controller.
This group policy modifies the
adclient.krb5.password.change.verify.retries setting in the agent configuration file.
The default setting is 0, which means that
adkeytab does not attempt additional password verification attempts after the initial failure.