Protect domain admins group users RRS feed

  • Question

  • Hi Sir,

    We would like to prevent domain admin users’ credentials being abused on the devices where they log in.  We are thinking of using Protected Users security group. However, there have some restrictions when put domain admin user under Protected Users security group. 

    Or anyone have better idea how to protect domain admin users?



    • Moved by nzpcmad1 Tuesday, October 22, 2019 5:28 PM From ADFS
    Tuesday, October 22, 2019 3:48 AM


  • Hello,

    Thank you for posting in our forum.

    Based on my experience,Protected Users is a new global security group to which you can add new or existing users. Windows 8.1 devices and Windows Server 2012 R2 hosts have special behavior with members of this group to provide better protection against credential theft. For a member of the group, a Windows 8.1 device or a Windows Server 2012 R2 host does not cache credentials that are not supported for Protected Users. Members of this group have no additional protection if they are logged on to a device that runs a version of Windows earlier than Windows 8.1.

    So we use the "Protected Users" security group to protect the administrator's credentials from being abused.

    If we protect administrators in the AD domain, we can refer to article :Appendix F: Securing Domain Admins Groups in Active Directory 

    More information please refer to the following article: How to Configure Protected Accounts

    Hope the information can be helpful and if there is anything else we can do for you, please feel free to post in the forum.

    Best regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Wednesday, October 23, 2019 9:57 AM

All replies