Enforce user logon restrictions

This security setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Kerberos Policy


clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.



Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 

Kerberos Policy security settings are not registry keys.

Reboot required: 


Related content