disable domain administrators credentials caching

windows domain cache password-management credentials
10,366

If your domain's functional level is Windows Server 2012 R2 or higher and your client machines are Windows 8.1 or newer, you can afford selected users additional protection by adding them to the Protected Users group.

Members of the Protected Users group who authenticate to a Windows Server 2012 R2 domain can no longer authenticate by using:

  • ...
  • Sign-in offline. A cached verifier is not created at sign-in.

Caution! Make sure not all privileged accounts are made members of Protected Users before you've finished testing the change. It's possible to lock yourself out under some circumstances (further reading).

In response to your second question: the policies that must be applied to domain controllers are the ones that affect the accounts database and authentication. For example, password policies must be enforced on a domain controller because it doesn't make sense for a single workstation to be managing credentials for a domain account. The Server Fault answer linked by Twisty in the comments is helpful.

Share:
10,366

Related videos on Youtube

crysman
Author by

crysman

See my blog if you wish... (https://www.blogger.com/profile/06229329361637313740) Or here on Wikipedia: https://cs.wikipedia.org/wiki/Wikipedista:Crysman

Updated on September 18, 2022

Comments

  • crysman
    crysman over 1 year

    Machines in AD (domain) do cache domain user credentials in default, and I like this behaviour, not only because it is especially useful in case of laptops. The number of last logons to be cached might be easily changed via GPO.

    BUT, here is the thing. I am looking for a way how to disallow the domain administrators' password to be cached on any computer in the network. The reason I want this is malware - we do not want to have whole domain compromised just because of one infected machine, right?!

    Question 1:

    How to properly disable credentials caching just for domain administrator users (and let it be enabled for normal "authenticated users") in GPO?

    I believe it shall be achieved by setting Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container\Interactive logon: Number of previous logons to cache (in case domain controller is not available) to 0

    But I haven't figured out how to successfully apply it for domain administrators only :(

    --

    Question 2:

    Also... I am aware I need to set password/credentials policies in the "Default Domain Policy" GPO branch only to actually allow them to be active/performed? But ...Is this the only exception? Which policies are those to have this exception? Is it whole "Security Settings" branch? Or just some of its sub branches? Or something else? How is it indicated in the Group Policy Management console?

    Using Windows Server 2012R2

  • crysman
    crysman about 7 years
    I've just tried this, since I like the idea pretty much, BUT ... this disallows me to connect via RDP (remote desktop) :/ saying A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For... Unfortunatelly, I would like to maintain the remote access possibility. Any other solutions?
  • Ben N
    Ben N about 7 years
    @crysman Ah, that is a problem. Are you RDP'ing in from a domain-joined workstation? I also found another article that may be relevant.
  • crysman
    crysman about 7 years
    Yes, I've tried that from a domain-joined PC. Thank you for the article, it might serve well for additional security tuning. There is nothing about RDP, though :/
  • Ravindra Bawane
    Ravindra Bawane about 7 years
    I was going to answer "no" because the cached credentials GP is a Computer Configuration, so you can't apply it to user groups, but, I'm pleasantly surprised this feature exists now! Another thing you may consider @crysman is the Local Administrator Password Solution, which allows you to apply automated password changing to the local administrator account on the computers, storing the passwords in AD objects. Using the Protected Users for Domain Admins, and then using LAPS would result in a decently secure privileged account setup.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to display all accessible domains on Windows 7?
Folder Redirection GPO setting desktop but not showing it
Windows icon cache does not exist
Adding a machine to a domain over a Cisco VPN connection
Set Google Chrome media cache size
net time command - Service is not running
Setting VPN domain Windows 10
Reset Internet Proxy Remembered Account on Windows
Can't access internet using a domain joined computer outside the domain environment
Is there a Windows solution for a program that relies on netrc?