Modifying the Protected Users group members with 'Account is sensitive and cannot be delegated' andAES encyptions?

EnterpriseArchitect 5,406 Reputation points
2024-09-20T06:40:54.3666667+00:00

I need some help and clarification on securing all of my Active Directory Enterprise and Domain Admin user accounts using the 'Protected Users' group and enabling these security attributes:

  1. Account is sensitive and cannot be delegated.
  2. This account supports Kerberos AES 128-bit encryption
  3. This account supports Kerberos AES 256-bit encryption

Is there any possible issue or side effect that I might have to expect when performing the above steps for all of my AD 'Tier-0 Admin Team' or this can also be extended to all service accounts like the gMSA which has a Domain Administrators group role?

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)?redirectedfrom=MSDN

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,624 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,261 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,926 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,850 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 24,741 Reputation points Microsoft Vendor
    2024-09-23T08:43:57.9466667+00:00

    Hello EnterpriseArchitect,

    Thank you for posting in Q&A forum.

    Here is something you should be aware of before you using the Protected User group:

    Ten things you need to be aware of before using the Protected Users Group - The things that are better left unspoken (dirteam.com)

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.