question

SF-6505 avatar image
0 Votes"
SF-6505 asked SF-6505 commented

Procted user and service account

Hi,

which kind of issue if we add a service account to protected users group ?

windows-serverwindows-active-directorywindows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered SF-6505 commented

Hi,


Below Microsoft recommendation :


162905-im.png


protected-users-security-group


please don't forget to mark helpful reply as answer


im.png (32.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for our answer

0 Votes 0 ·
GaryReynolds avatar image
0 Votes"
GaryReynolds answered SF-6505 commented

Hi @SF-6505

Have a look at this article which contains details of the restriction that will be applied to user objects that are added to the Protected Users Group. https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group.

The restriction that can cause the most issues, especially if the service account is used for older application\service, is the removal of the ability to use NTLM to authentication to domain controllers, which could cause the service to fail to start or run correctly.

If you have a test environment, to best approach would be to test the change to understand the impacts on the service accounts. The plus point is that it's pretty simple to reverse the impacts by removing the service account from the Protected Users Group.

Gary.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thank you for your answer much appreciated

0 Votes 0 ·