disable domain administrators credentials caching

Machines in AD (domain) do cache domain user credentials in default, and I like this behaviour, not only because it is especially useful in case of laptops. The number of last logons to be cached might be easily changed via GPO.

BUT, here is the thing. I am looking for a way how to disallow the domain administrators' password to be cached on any computer in the network. The reason I want this is malware - we do not want to have whole domain compromised just because of one infected machine, right?!

Question 1:

How to properly disable credentials caching just for domain administrator users (and let it be enabled for normal "authenticated users") in GPO?

I believe it shall be achieved by setting Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container\Interactive logon: Number of previous logons to cache (in case domain controller is not available) to 0

But I haven't figured out how to successfully apply it for domain administrators only :(

Question 2:

Also... I am aware I need to set password/credentials policies in the "Default Domain Policy" GPO branch only to actually allow them to be active/performed? But ...Is this the only exception? Which policies are those to have this exception? Is it whole "Security Settings" branch? Or just some of its sub branches? Or something else? How is it indicated in the Group Policy Management console?

Using Windows Server 2012R2

crysman

Posted 2017-03-06T16:41:29.140

Reputation: 393

The answer to your Question #2 is found here.

– I say Reinstate Monica – 2017-03-06T17:37:44.040

Answers

If your domain's functional level is Windows Server 2012 R2 or higher and your client machines are Windows 8.1 or newer, you can afford selected users additional protection by adding them to the Protected Users group.

Members of the Protected Users group who authenticate to a Windows Server 2012 R2 domain can no longer authenticate by using:

...

Sign-in offline. A cached verifier is not created at sign-in.

Caution! Make sure not all privileged accounts are made members of Protected Users before you've finished testing the change. It's possible to lock yourself out under some circumstances (further reading).

In response to your second question: the policies that must be applied to domain controllers are the ones that affect the accounts database and authentication. For example, password policies must be enforced on a domain controller because it doesn't make sense for a single workstation to be managing credentials for a domain account. The Server Fault answer linked by Twisty in the comments is helpful.

Ben N

Posted 2017-03-06T16:41:29.140

Reputation: 32 973

I've just tried this, since I like the idea pretty much, BUT ... this disallows me to connect via RDP (remote desktop) :/ saying A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For... Unfortunatelly, I would like to maintain the remote access possibility. Any other solutions? – crysman – 2017-03-07T16:31:53.580

@crysman Ah, that is a problem. Are you RDP'ing in from a domain-joined workstation? I also found another article that may be relevant.

– Ben N – 2017-03-07T16:38:34.077

Yes, I've tried that from a domain-joined PC. Thank you for the article, it might serve well for additional security tuning. There is nothing about RDP, though :/ – crysman – 2017-03-07T16:50:45.677

1I was going to answer "no" because the cached credentials GP is a Computer Configuration, so you can't apply it to user groups, but, I'm pleasantly surprised this feature exists now! Another thing you may consider @crysman is the Local Administrator Password Solution, which allows you to apply automated password changing to the local administrator account on the computers, storing the passwords in AD objects. Using the Protected Users for Domain Admins, and then using LAPS would result in a decently secure privileged account setup. – music2myear – 2017-03-07T17:02:20.847

I know this is old, but since no one posts answers in Forums. The problem with Protected User group and Remote Desktop is that you must use DNS to RDP, not via IP address.

Mark Reyes

Posted 2017-03-06T16:41:29.140

Reputation: 1