Modifying the Protected Users group members with 'Account is sensitive and cannot be delegated' andAES encyptions?

Question

I need some help and clarification on securing all of my Active Directory Enterprise and Domain Admin user accounts using the 'Protected Users' group and enabling these security attributes:

1. Account is sensitive and cannot be delegated.
2. This account supports Kerberos AES 128-bit encryption
3. This account supports Kerberos AES 256-bit encryption

Is there any possible issue or side effect that I might have to expect when performing the above steps for all of my AD 'Tier-0 Admin Team' or this can also be extended to all service accounts like the gMSA which has a Domain Administrators group role?

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)?redirectedfrom=MSDN

Answer 1

Hello EnterpriseArchitect,

Thank you for posting in Q&A forum.

Here is something you should be aware of before you using the Protected User group:

Ten things you need to be aware of before using the Protected Users Group - The things that are better left unspoken (dirteam.com)

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.