Windows Server 2012 R2 introduced several new technologies designed to help protect privileged credentials, which includes the Active Directory Protected Users group. New or existing users can be added to this global security group and prevents Windows 8.1 and Windows Server 2012 R2 devices from caching users’ credentials, providing additional protection against password theft.
Before going into the topic let’s learn something about the Latest Release of Windows Server 2016
When a user account is added to the Protected Users group, a set of authentication protocol restrictions are applied to the account to better protect it against the compromise of its credentials during the authentication process. Microsoft recommends adding high-value accounts—such as server administrators—to the Protected Users group.
Users logged in to devices that support Protected Users are prevented from using:
- Cached credentials. For example, users cannot log in offline when there is no access to a domain controller.
- The Kerberos ticket-granting ticket (TGT) must be received when users log in and cannot be reissued automatically, preventing the use of long term keys.
- Default credential delegation (CredSSP), which stops credentials from being cached in plain text even if the Allow delegating default credentials policy is set.
- Windows Digest authentication.
- NT LanManager (NTLM) NTOWF, which is a function for generating keys based on user passwords.
Furthermore, if the domain functional level is Windows Server 2012 R2 or higher, Protected Users cannot:
- Renew Kerberos ticket-granting tickets longer than the original four-hour TTL.
- Log in using NTLM.
- Use DES or RC4 for Kerberos pre-authentication.
- Be delegated using constrained or unconstrained delegation.
For more details on this new security group, see the Microsoft TechNet article “Protected Users Security Group.”
Here are the Links to complete Details about the Active Directory concepts and installations procedures.
- How to Install Active Directory on Windows Server 2008
- How To Create Additional Domain Controller (ADC) In Windows Server 2008
- Creating a New Child Domain in Windows Server 2008
- Steps for Deploying & Installing an Read-Only Domain Controller (RODC)
Hope this post is usefull for you guys..! Please don’t forget to Leave your comment.