This configuration parameter specifies a list of Active Directory groups whose members’ Kerberos credentials require infinite renewal even after the users have logged out.

Requirements to use this parameter:

  • Specified groups must be Active Directory groups.
  • Groups do not need to be zone enabled.
  • To have their credentials automatically renewed, users in the group must:
    • Be zone enabled (that is, mapped users are not supported).
    • Log into the desired system once using the Account Password.

You must use the following format to specify group names:


For example:


By default, this parameter does not list any groups.

You can also use group policy to set this parameter.