Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to analyze the Protected Users security group. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Protected Users security groups can prevent highly sensitive account identity credentials from being cached locally on domain member computers. it

It will require that each login of these highly sensitive accounts in this group need to be verified by the domain controller before they can log in.

Protected Users is a new group that allows you to place these highly sensitive accounts. You can use Users in AD DS.

Container found it. To enable protected users, managers simply add these highly sensitive accounts to Protected

Users is fine in this security group.

This protected user function is a client function that is used on member computers in the domain to protect domain accounts. Protected user function

Only domain member computers are supported by the following operating systems:

Windows 8.1 or later

Windows Server 2012 R2 or later

Older operating system versions do not support this feature, so it is inevitable that user accounts in the Protected Users group are cached in this

In the ground computer. In the old operating system, to ensure that user accounts in the Protected Users group were not compromised, you had to use another party

For example, deny local login (Deny log on locally) security configuration.

Protected users will not be able to use the following protocols when logging in with a domain member computer that supports this feature:

Default identity credential delegation (Default credential delegation) or identity credential security support provider

(Credential Security Support Provider) (CredSSP)

Summary verification (Digest authentication)

NTLM

When the user is a member of the Protected Users security group, the following are applied:

Users must be able to authenticate using AES-based encryption, so all domain controllers must be Windows Server

Level 2008 or later.

Any account in the Protected Users group that wants to change the password must be associated with the Windows Server 2008 or later domain

The controller interacts to ensure that the password is encrypted using AES.

On supported domain member computers, such as Windows 10 and Windows Server 2016, the user's identity credentials are not cached

That exists in these member computers.

Users can log in to member computers in the domain only if they can interact with the domain controller. For these accounts, log in offline

Recording is impossible. If the server is started by using a member of the Protected Users group when the domain member computer is offline

Service, will not be able to start.

The maximum retention period of issued Kerberos TGT tickets and the maximum retention period of user ticket updates is limited to 240minutes (4 small

When). Although the administrator uses the domain policy to configure all other accounts, the default value ticket has a maximum retention period of 10 hours, and the ticket is updated

The maximum retention period is 7 days, but the hard coding (hard-coded) for protected users is 4 hours.

This function of protected users is a global security configuration within a domain. There is no way for you to use this configuration only in specific

The device protects specific users. Therefore, please use this protected user feature carefully and test it before relying on it.

On how to analyze the Protected Users security group to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.