Direct Inward Dialing: +1 408 916 9892
The Protected User group is a global security group that enhances the security of privileged accounts by preventing credential exposure within the organization's network. Credential exposure risk is minimized by restricting the membership in this group, and proactively securing it with effective policies by default. This means that members of this group have non-configurable protection applied to their accounts by default. A Protected User group can be used to limit delegation to sensitive user accounts, usage of weak encryption algorithms, and outdated authentication protocols.
Microsoft provides Protected User groups support on client computers running Windows 8.1 or higher, and Primary Domain Controller (PDC) running a minimum of Windows Server 2012 R2.
Domain controllers that run an operating system earlier than Windows Server 2012 R2 can support adding members to the new Protected User security group. By transferring the primary domain controller (PDC) emulator role to a domain controller that runs on Windows Server 2012 R2, Protected Users groups can be created. Once the group object is replicated to other domain controllers, the PDC emulator role can be hosted on a domain controller that runs an earlier version of Windows Server.
When a member of a Protected User group logs into a Windows server, a set of protections are applied to improve the security posture; these can be classified as device and domain controller protections:
Service accounts and computers shouldn't be made members of Protected User groups. Since the password or certificate is available on the host, the authentication will fail with a "username or password is incorrect" error.
Simplify user group auditing and reporting with ADAudit Plus
Active Directory groups help in categorizing users according to the security permissions and accesses assigned to them. Any unauthorized modifications to groups could result in loss of access to essential information or malicious users being granted access to sensitive information. Hence it is important to track changes made to groups. ADAudit Plus simplifies monitoring of Protected User groups by offering predefined Group Management reports along with intuitive graphical representation of the same for the ease of comprehension.
Once ADAudit Plus has been installed, it can automatically configure audit policies required for Active Directory auditing. To enable automatic configuration:
Log in to the ADAudit Plus web console → Domain Settings → Audit Policy: Configure.
The following are some of the reports that can help in monitoring changes made to Protected User groups:
This report gives you a list of security groups that have been created recently along with caller user name, group creation time, scope of the group among other information.
The report displays the groups that have been deleted recently.
A list of all the new members who have been added to the security groups can be found in this report. It also provides information about the user who added the members, to which group and domain controller names.
This report lists all the groups that have been modified recently along with a detailed description of the change that has been made.
ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. In total, the solution has 200+ reports and real-time alerts to keep your network environment secure. To learn more, visit https://www.manageengine.com/active-directory-audit/
Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.
Try ADAudit Plus for free
Free Edition
