1
00:00:06,900 --> 00:00:14,620
The password replication policy determines which users or computers credentials that a specific road

2
00:00:14,670 --> 00:00:16,230
see caches.

3
00:00:16,260 --> 00:00:25,470
If a password replication policy allows Marauder C to cache a user's credentials the ROTC can process

4
00:00:25,680 --> 00:00:34,650
that user's authentication and service ticket activities even or orders seek a not cache a user's credentials

5
00:00:34,850 --> 00:00:43,230
their audiences refer the authentication and service ticket activities to a writer but domain controller

6
00:00:43,500 --> 00:00:51,060
to multiple valid attributes of the road assist computer account determine their password replication

7
00:00:51,060 --> 00:00:59,500
policy of an they see these attributes are the allowed list and the denial list.

8
00:00:59,610 --> 00:01:08,010
If a user's account is one on the allowed list there or they seek caches the user's credentials you

9
00:01:08,010 --> 00:01:15,630
can include groups on the allowed lists in which case their odyssey caches all users who belong to the

10
00:01:15,630 --> 00:01:16,290
group.

11
00:01:16,350 --> 00:01:25,380
If a user is on both the allowed list and a denied list the user's credentials are not cached denied

12
00:01:25,740 --> 00:01:28,410
all e takes precedence.

13
00:01:28,410 --> 00:01:35,820
Now some words about domain wide password replication policy to facilitate the management of your password

14
00:01:35,820 --> 00:01:42,790
replication policy Windows Server 2008 or newer operating systems.

15
00:01:42,960 --> 00:01:51,750
Create two domain local security groups in the user's container within eight it is the first group is

16
00:01:51,990 --> 00:01:55,710
allowed to write a C password replication group.

17
00:01:55,710 --> 00:02:01,870
Members of this group are included in the allowed list of each new road.

18
00:02:02,040 --> 00:02:05,040
By default the group has no members.

19
00:02:05,040 --> 00:02:11,550
Therefore by default and you wrote it C does not cache any user's credentials.

20
00:02:11,550 --> 00:02:20,400
You should add users for whom you want all domain Reuters CS to cache credentials to allow to rotate

21
00:02:20,400 --> 00:02:27,600
C password replication group and the second group is denied to rather see password replication group

22
00:02:27,900 --> 00:02:33,930
members of this group are included in the denied list of which new road is.

23
00:02:34,140 --> 00:02:42,420
You should add users whose credentials you want to ensure are never cast by domain road access to the

24
00:02:42,420 --> 00:02:46,750
denied Road a C password replication group by default.

25
00:02:46,800 --> 00:02:55,310
This group contains security sensitive accounts that are members of groups including domain admins enterprise

26
00:02:55,310 --> 00:02:59,010
segments and group policy greater owners.

27
00:02:59,010 --> 00:03:08,380
You should also note that users are not the only generators of authentication and service ticket activity.

28
00:03:08,520 --> 00:03:16,200
Computers in a branch office also require such activity to improve system performance and to ensure

29
00:03:16,200 --> 00:03:23,940
that computers can establish a secure channel with a domain controller in a branch office.

30
00:03:23,940 --> 00:03:31,440
Also allow the branch row DC to cache computer credentials during a 1 outage.

31
00:03:31,440 --> 00:03:40,710
Be aware that users are only able to sign in when both the computers and the user's credentials are

32
00:03:40,710 --> 00:03:41,580
cached.

33
00:03:41,580 --> 00:03:47,940
You should also consider a road see a specific password replication policy.

34
00:03:47,940 --> 00:03:53,520
These two groups allow you to manage password replication policy on all the roads.

35
00:03:54,120 --> 00:03:58,300
However to best support a branch office scenario.

36
00:03:58,320 --> 00:04:07,200
You need to allow the raw DC in each branch office to cache user and computer credentials in that specific

37
00:04:07,200 --> 00:04:08,160
location.

38
00:04:08,160 --> 00:04:16,520
Therefore while you can use the global deny deny at least you should configure a specific allowed list

39
00:04:16,530 --> 00:04:18,550
for each raw odyssey.

40
00:04:18,600 --> 00:04:27,320
Now some words about marauders see filtered attributes set some apps that use aided SLA data store might

41
00:04:27,330 --> 00:04:35,040
to use credential like data such as passwords credentials sound and groups and keys which you do not

42
00:04:35,040 --> 00:04:37,270
want to store on Android.

43
00:04:37,580 --> 00:04:45,540
In case it becomes compromised for this apps you can configure a schema attribute set that will not

44
00:04:45,540 --> 00:04:47,330
replicate turn right.

45
00:04:47,330 --> 00:04:56,400
See this set of attributes is the road I see filtered attributes that attributes that you define in

46
00:04:56,400 --> 00:05:03,990
their order see filtered attributes set can not replicate to an eroded in the forest.

47
00:05:04,050 --> 00:05:11,920
You can not add system critical attributes to the they see filtered attributes that an attribute is

48
00:05:12,220 --> 00:05:13,540
system critical.

49
00:05:13,540 --> 00:05:22,090
If they're following a requirement to function properly for example aided yes local security authority

50
00:05:22,420 --> 00:05:31,900
security accounts manager or Microsoft's specific security support provider interfaces such as Cerberus

51
00:05:31,930 --> 00:05:33,850
version 5 protocol.

52
00:05:33,850 --> 00:05:41,890
If you have apps that you want to use their orders see filtered attributes that you have to verify with

53
00:05:41,890 --> 00:05:42,430
the app.

54
00:05:42,430 --> 00:05:51,790
Wonder if they supported while right request to Android as they receive referrals to a full demand controller.

55
00:05:51,790 --> 00:06:00,160
Apps that ask and rather see for an attribute in the road receive filtered attributes that receive it

56
00:06:00,250 --> 00:06:07,020
as empty road is seen knows about the attribute but never receives a well you for it.

57
00:06:07,060 --> 00:06:14,470
The app must be aware of this feature and know to request a write about domain controller.

58
00:06:14,590 --> 00:06:18,760
When reading their orders see filtered attributes that.