3

Machines in AD (domain) do cache domain user credentials in default, and I like this behaviour, not only because it is especially useful in case of laptops. The number of last logons to be cached might be easily changed via GPO.

BUT, here is the thing. I am looking for a way how to disallow the domain administrators' password to be cached on any computer in the network. The reason I want this is malware - we do not want to have whole domain compromised just because of one infected machine, right?!

Question 1:

How to properly disable credentials caching just for domain administrator users (and let it be enabled for normal "authenticated users") in GPO?

I believe it shall be achieved by setting Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container\Interactive logon: Number of previous logons to cache (in case domain controller is not available) to 0

But I haven't figured out how to successfully apply it for domain administrators only :(

--

Question 2:

Also... I am aware I need to set password/credentials policies in the "Default Domain Policy" GPO branch only to actually allow them to be active/performed? But ...Is this the only exception? Which policies are those to have this exception? Is it whole "Security Settings" branch? Or just some of its sub branches? Or something else? How is it indicated in the Group Policy Management console?

Using Windows Server 2012R2

1

1 Answer 1

2

If your domain's functional level is Windows Server 2012 R2 or higher and your client machines are Windows 8.1 or newer, you can afford selected users additional protection by adding them to the Protected Users group.

Members of the Protected Users group who authenticate to a Windows Server 2012 R2 domain can no longer authenticate by using:

  • ...
  • Sign-in offline. A cached verifier is not created at sign-in.

Caution! Make sure not all privileged accounts are made members of Protected Users before you've finished testing the change. It's possible to lock yourself out under some circumstances (further reading).

In response to your second question: the policies that must be applied to domain controllers are the ones that affect the accounts database and authentication. For example, password policies must be enforced on a domain controller because it doesn't make sense for a single workstation to be managing credentials for a domain account. The Server Fault answer linked by Twisty in the comments is helpful.

4
  • I've just tried this, since I like the idea pretty much, BUT ... this disallows me to connect via RDP (remote desktop) :/ saying A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For... Unfortunatelly, I would like to maintain the remote access possibility. Any other solutions?
    – crysman
    Commented Mar 7, 2017 at 16:31
  • @crysman Ah, that is a problem. Are you RDP'ing in from a domain-joined workstation? I also found another article that may be relevant.
    – Ben N
    Commented Mar 7, 2017 at 16:38
  • Yes, I've tried that from a domain-joined PC. Thank you for the article, it might serve well for additional security tuning. There is nothing about RDP, though :/
    – crysman
    Commented Mar 7, 2017 at 16:50
  • 1
    I was going to answer "no" because the cached credentials GP is a Computer Configuration, so you can't apply it to user groups, but, I'm pleasantly surprised this feature exists now! Another thing you may consider @crysman is the Local Administrator Password Solution, which allows you to apply automated password changing to the local administrator account on the computers, storing the passwords in AD objects. Using the Protected Users for Domain Admins, and then using LAPS would result in a decently secure privileged account setup. Commented Mar 7, 2017 at 17:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .