We're currently enhancing our Active Directory (AD) security, and I've come across a recommendation to use the Protected Users Group for privileged accounts. I'd like to know which accounts specifically should be included in this group, such as domain admins or local privileged accounts. Additionally, what should I be aware of or any gotchas that others have experienced when implementing this? Thanks in advance!
5 Answers
PingCastle is a great tool to help audit your AD and ensure you’re in line with the best practices while implementing Protected Users Group. Highly recommend checking it out!
I’d advise against adding all your highly privileged users to the group in one go; it can lead to instant lockouts if their account settings are outdated. Test each account gradually while keeping a domain admin account outside the group to ensure everything runs smoothly. And always consider having a backup account with a complex password for emergencies.
And if those accounts happen to have Exchange mailboxes, just be aware that you'll run into issues with Active Sync — Microsoft doesn’t allow that for accounts in the Protected Users Group. Definitely something to keep in mind if you have a lot of legacy admins hanging around!
It’s crucial to include all accounts with high-level privileges in the Protected Users Group — think domain admins, DNS admin accounts, and anyone who can perform significant admin functions in your domain. Just remember: this will enforce Kerberos only, which disables NTLM. This can cause issues, like not being able to create new DFS namespaces because some services still rely on NTLM. Also, once in the group, expect things like no cached logons, strict lockout rules, and limitations on delegation.
Also, if your privileged accounts are used to RDP into servers, you'll need to connect via hostnames, since they won't work with IP addresses. That took my team a little while to adjust to! Just another quirk to keep in mind.
Good to know! That’s something we tend to overlook until we hit that roadblock.
So, it sounds like we really need to evaluate our accounts before adding them to avoid locking out any critical access?