1
00:00:01,240 --> 00:00:03,140
What are protected users?

2
00:00:03,140 --> 00:00:07,390
While this stuff really isn't new to Windows Server 2022,

3
00:00:07,390 --> 00:00:10,880
fine‑grained password policies have been around for many years.

4
00:00:10,880 --> 00:00:13,040
Same with Protected Users.

5
00:00:13,040 --> 00:00:17,960
Protected Users is a built‑in domain global security group that gives

6
00:00:17,960 --> 00:00:21,260
you non‑configurable account protections for members.

7
00:00:21,260 --> 00:00:23,020
Now, there's no members by default.

8
00:00:23,020 --> 00:00:27,790
You would choose the high privilege groups and users to put in there.

9
00:00:27,790 --> 00:00:31,270
For instance, maybe domain admins, enterprise admins.

10
00:00:31,270 --> 00:00:35,370
And some of those non‑configurable protections would be,

11
00:00:35,370 --> 00:00:42,640
for example, disabling the NTLM authentication protocol and requiring Kerberos.

12
00:00:42,640 --> 00:00:44,800
And also speaking of Kerberos,

13
00:00:44,800 --> 00:00:50,120
Protected Users group members cannot have their Kerberos information,

14
00:00:50,120 --> 00:00:53,840
their tickets, and that kind of stuff, cached in‑memory.

15
00:00:53,840 --> 00:00:59,940
Nor can you use those protected users in a delegation scenario using

16
00:00:59,940 --> 00:01:04,340
either Kerberos‑constrained delegation or CredSSP.

17
00:01:04,340 --> 00:01:06,190
So these are pretty strict rules,

18
00:01:06,190 --> 00:01:11,420
but they're by design because the idea is you want to make sure to

19
00:01:11,420 --> 00:01:17,160
minimize the possible attack surface or vulnerability surface of

20
00:01:17,160 --> 00:01:19,640
those high privilege group and user accounts,

21
00:01:19,640 --> 00:01:20,330
you see.

22
00:01:20,330 --> 00:01:20,920
Now,

23
00:01:20,920 --> 00:01:26,120
don't use something like a group Managed Service Account or a computer account.

24
00:01:26,120 --> 00:01:31,360
Don't put those in the Protected Users group because by definition you

25
00:01:31,360 --> 00:01:35,630
may need to rely on delegation with those accounts,

26
00:01:35,630 --> 00:01:38,740
and by putting those accounts into Protected Users,

27
00:01:38,740 --> 00:01:40,370
you're kind of, well,

28
00:01:40,370 --> 00:01:50,000
you're working at cross purposes with the reason why you have the gMSA or a computer account to begin with.