
close
close
Many organizations have a proliferation of users holding domain admin credentials or other levels of privileges that go beyond the recommend standard user privileges. While I would always recommend that domain admin accounts should be kept to a minimum and never used for day-to-day computing, support or administrative tasks, it’s also wise to take extra steps to protect privileged accounts when they are released for use. In this Ask the Admin, I’ll describe how to add additional protection to privileged admin accounts in Windows Server 2012 R2.
Windows Server 2012 R2 introduced several new technologies designed to help protect privileged credentials, which includes the Active Directory Protected Users group. New or existing users can be added to this global security group and prevents Windows 8.1 and Windows Server 2012 R2 devices from caching users’ credentials, providing additional protection against password theft. Users logged in to devices that support Protected Users are prevented from using:
advertisment
Furthermore, if the domain functional level is Windows Server 2012 R2 or higher, Protected Users cannot:
Additionally, the protections afforded by the Protected Users group are only enabled on domain controllers if the domain functional level is Windows Server 2012 R2 or higher.
As DES or RC4 ciphers are not supported for Kerberos pre-authentication, AES keys must reside in Active Directory for any users that are members of the Protected Users group. To ensure accounts meet this requirement, all domain controllers should be running Windows Server 2008 or later. Before adding accounts to the Protected Users group, change their passwords to ensure the operation was carried out on a Windows Server 2008 domain controller (or later).
If the Protected Users group doesn’t exist in your domain, then you will need to transfer the PDC emulator Flexible Single Master Operation (FSMO) role to a server running Windows Server 2012 R2. Once the Protected Users group has been created and replicated to all domain controllers in the domain, the PDC emulator FSMO role can be moved back to its original location. For more information on transferring FSMO roles, see Manage Flexible Single Master Operation (FSMO) Roles Using PowerShell on Petri IT Knowledgebase.
advertisment
The Protected Users group in Windows Server 2012 R2 Active Directory (Image Credit: Russell Smith)
Computer and service accounts should not be added to the Protected Users group. Some of the protections provided by Protected Users can be enabled for these accounts by modifying NTLM policies, authentication policies and blocking delegation for accounts in Active Directory.
Users can be added to the Protected Users group using Active Directory Administrative Center (ADAC), Active Directory Users and Computers (ADUC), and PowerShell. There are no workarounds for the protections enabled, so this could potentially lock users out of systems or significantly reduce functionality in some circumstances. As such, before adding users to the Protected Users group, make sure that you carry out testing in a pre-production environment.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Windows Server
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft Confirms May 2022 Patch Tuesday Updates Cause AD Authentication Issues
May 12, 2022 | Rabia Noureen
Microsoft to Disable SMB1 File-Sharing Protocol By Default on Windows 11
Apr 20, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Adds Support for Windows Server 2012 R2 and 2016
Apr 14, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group