1
00:00:06,430 --> 00:00:08,980
In most aid it is deployments.

2
00:00:08,980 --> 00:00:17,780
Some security groups are considered as security critical Windows Server 2016 or later.

3
00:00:17,790 --> 00:00:18,660
Peru whites.

4
00:00:18,710 --> 00:00:27,430
The restricted groups feature and the protected to users security groups feature to provide additional

5
00:00:27,430 --> 00:00:36,520
potential for these groups restricted groups for security critical local groups on servers or workstations

6
00:00:36,880 --> 00:00:45,700
you can use the restricted group's functionality available in group policy to control membership in

7
00:00:45,700 --> 00:00:52,690
these groups and memberships of these groups restricted groups allow you to select a local security

8
00:00:52,690 --> 00:01:02,500
group and defined two attributes members and member of men defined their members attribute you specify

9
00:01:02,530 --> 00:01:10,090
who should and should not belong to the restricted group being configure when you configure the members

10
00:01:10,210 --> 00:01:19,120
attribute any current member of a restricted group that is not listed as member is removed automatically

11
00:01:19,480 --> 00:01:26,210
with the exception of the administrator and the administrator is group additionally and a user that

12
00:01:26,210 --> 00:01:33,490
is listed as member who is not currently a member of the restricted group is added automatically when

13
00:01:33,490 --> 00:01:40,600
you use the member of attribute of a restricted group make sure that the restricted group is a member

14
00:01:40,600 --> 00:01:50,080
of groups that are listed in the member of text books you can not use this attribute to remove the restricted

15
00:01:50,080 --> 00:01:59,560
group from any other group to configure restricted groups Open Group Policy Management Editor and navigate

16
00:01:59,620 --> 00:02:08,770
to the computer configuration policies windows sentence security settings node an example of when you

17
00:02:08,770 --> 00:02:16,180
might want to use restricted groups is if you want to control membership in the local administrator

18
00:02:16,190 --> 00:02:19,690
group on your organization's workstations.

19
00:02:19,750 --> 00:02:25,800
Please note that you can not use this feature to manage domain groups in 80 Days.

20
00:02:25,840 --> 00:02:35,920
You must use the restricted restricted groups feature only with local groups on client or server computers.

21
00:02:35,920 --> 00:02:41,800
Now let's talk about protected users security groups in the summer 2012.

22
00:02:41,800 --> 00:02:52,300
Our 2 introduced the protected to users Security Group which generates non configurable protection on

23
00:02:52,630 --> 00:03:01,270
devices and computers that are run on Windows Server 2012 R2 on your operating systems.

24
00:03:01,270 --> 00:03:10,000
Domain Controllers and domains with a primary domain controller that are run on Windows Server 2012

25
00:03:10,140 --> 00:03:11,680
R2 or newer.

26
00:03:11,860 --> 00:03:20,170
This substantially reduces the memory footprint of credentials when users sign in to computers on the

27
00:03:20,440 --> 00:03:24,400
network from an uncompromised computer.

28
00:03:24,400 --> 00:03:31,630
Consider the following points when the user and protected Users Group the protected users group membership

29
00:03:31,840 --> 00:03:41,920
can not authenticate by using A.L. lamb or digest authentication or credential security support support

30
00:03:42,130 --> 00:03:51,250
provider which is an authentication mechanism also known as great as a spear on do ISIS run and Windows

31
00:03:51,580 --> 00:04:00,700
8 dot 1 and newer passwords are not cached so the device that uses anyone of these security support

32
00:04:00,700 --> 00:04:11,590
provider or SSP will fail to authenticate a domain when the account is part of the protected user group.

33
00:04:11,590 --> 00:04:20,470
Another point is the Burrus protocol which will not use the weaker data encryption standard tor D E

34
00:04:20,560 --> 00:04:27,490
S or our C4 encryption types in the pre authentication process.

35
00:04:27,490 --> 00:04:36,580
Therefore you must configure the domain to support at least the enhanced security encryption standard

36
00:04:36,850 --> 00:04:41,800
cipher sued or a e s cipher sued.

37
00:04:41,800 --> 00:04:50,680
Another point is that you can not delegate the user's account with Gerber as constraint or unconstrained

38
00:04:50,770 --> 00:04:51,930
delegation.

39
00:04:51,970 --> 00:05:00,760
This can cause for more connections to other systems to fail if the user is in the protected user group.

40
00:05:00,760 --> 00:05:11,930
Another point is the default Cobra's TGT is lifetime sentence of four hours is configure is configurable

41
00:05:11,930 --> 00:05:19,610
by using authentication policies and silence which you can access through the active directory administrative

42
00:05:19,610 --> 00:05:20,510
center.

43
00:05:20,510 --> 00:05:27,350
This means that the user must authenticate again after four hours.

44
00:05:27,350 --> 00:05:32,550
Next up we'll be talking about fine grained password and log out policies.

45
00:05:32,570 --> 00:05:33,370
I'll see you there.