AD protected users group:

https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

https://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain-accounts-restricted-admin-and-protected-users

https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d

WARNING – protected users group:

If your high privilege account is member of this group, you can experience behavior, like access denied; invoke-command or winrm failures, PowerShell get-executionpolicy…

Being member of this group remove NTLM or CredSSP…

Members of the Protected Users group who are signed-on to Windows 8.1 devices and Windows Server 2012 R2 hosts can no longer use:

  • Default credential delegation (CredSSP) – plaintext credentials are not cached even when the Allow delegating default credentials policy is enabled
  • Windows Digest – plaintext credentials are not cached even when they are enabled
  • NTLM – NTOWF is not cached
  • Kerberos long term keys – Kerberos ticket-granting ticket (TGT) is acquired at logon and cannot be re-acquired automatically
  • Sign-on offline – the cached logon verifier is not created

If the domain functional level is Windows Server 2012 R2 , members of the group can no longer:

  • Authenticate by using NTLM authentication
  • Use Data Encryption Standard (DES) or RC4 cipher suites in Kerberos pre-authentication
  • Be delegated by using unconstrained or constrained delegation
  • Renew user tickets (TGTs) beyond the initial 4-hour lifetime

 

ex: set-adfssslcertificate cmdlet return access denied error

Advertisements