none
Standard Domain controller Administrator policy

    Question

  • Hi Guys,

        Recently we build New Forest Domain environment, We need verify what standard policy we can to Domain Admins accounts,

     Kindly help me to identify and to enable NT 4.0 crypto Benfits and impact and what action as to be take care to run smoothly.

    NT 4.0 Crypto Enabled on Domain Controllers (AD RAP)
    Identify Actions / Changes

    Identify impact to domain structure / environment

    Thanks,

    Mahantesh 

     

    Thursday, November 24, 2016 5:16 AM

Answers

  • Hi Mahantesh,
    I am sorry that I am not able to understand you meaning clearly about “what standard policy we can to Domain Admins accounts”, are you talking about how to secure domain admin?
    If that is the case, please follow the article as below:
    Appendix F: Securing Domain Admins Groups in Active Directory
    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory
    Regarding the NT 4.0 Crypto, as far as I know, it is controlled by “Allow cryptography algorithms compatible with Windows NT 4.0” policy. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2008 or later including this version of Windows. By default Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore computers running Windows NT 4.0 will not be able to establish a connection to this domain controller. If you enable this policy setting Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However using the older algorithms represents a potential security risk. If you disable this policy setting Net Logon will not allow the negotiation and use of older cryptography algorithms. If you do not configure this policy setting Net Logon will not allow the negotiation and use of older cryptography algorithms.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, November 25, 2016 2:40 AM
    Moderator

All replies

  • Hi Mahantesh,
    I am sorry that I am not able to understand you meaning clearly about “what standard policy we can to Domain Admins accounts”, are you talking about how to secure domain admin?
    If that is the case, please follow the article as below:
    Appendix F: Securing Domain Admins Groups in Active Directory
    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory
    Regarding the NT 4.0 Crypto, as far as I know, it is controlled by “Allow cryptography algorithms compatible with Windows NT 4.0” policy. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2008 or later including this version of Windows. By default Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore computers running Windows NT 4.0 will not be able to establish a connection to this domain controller. If you enable this policy setting Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However using the older algorithms represents a potential security risk. If you disable this policy setting Net Logon will not allow the negotiation and use of older cryptography algorithms. If you do not configure this policy setting Net Logon will not allow the negotiation and use of older cryptography algorithms.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, November 25, 2016 2:40 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, November 29, 2016 4:45 AM
    Moderator