受保护的用户安全组Protected Users Security Group

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主题面向 IT 专业人员介绍 Active Directory 安全组受保护用户,并说明工作原理。This topic for the IT professional describes the Active Directory security group Protected Users, and explains how it works. 此组是在 Windows Server 2012 R2 域控制器中引入的。This group was introduced in Windows Server 2012 R2 domain controllers.


此安全组设计为管理企业内凭据公开的策略的一部分。This security group is designed as part of a strategy to manage credential exposure within the enterprise. 此组的成员将自动具有应用于其帐户的非可配置保护。Members of this group automatically have non-configurable protections applied to their accounts. 在默认情况下,受保护的用户组中的成员身份意味着受到限制并主动保护。Membership in the Protected Users group is meant to be restrictive and proactively secure by default. 修改这些帐户保护的唯一方法是从安全组中删除该帐户。The only method to modify these protections for an account is to remove the account from the security group.


服务和计算机的帐户不应是受保护用户组的成员。Accounts for services and computers should never be members of the Protected Users group. 由于密码或证书在主机上始终可用,因此此组仍提供了不完整的保护。This group provides incomplete protection anyway, because the password or certificate is always available on the host. 身份验证将失败,并出现错误: " " 对于添加到受保护用户组的任何服务或计算机,用户名或密码不正确。Authentication will fail with the error "the user name or password is incorrect" for any service or computer that is added to the Protected Users group.

在运行 Windows Server 2012 R2 的设备和主机计算机上,此域相关的全局组将触发不可配置的保护,并且在具有运行 Windows Server 2012 R2 的主域控制器的域中的用户 Windows 8.1 或更高版本。This domain-related, global group triggers non-configurable protection on devices and host computers running Windows Server 2012 R2 and Windows 8.1 or later for users in domains with a primary domain controller running Windows Server 2012 R2 . 当用户登录到具有这些保护的计算机时,这会大大减少凭据的默认内存占用量。This greatly reduces the default memory footprint of credentials when users sign-in to computers with these protections.

有关详细信息,请参阅本主题中的受保护用户组的工作原理For more information, see How the Protected Users group works in this topic.

受保护用户组要求Protected Users group requirements

为受保护用户组的成员提供设备保护的要求包括:Requirements to provide device protections for members of the Protected Users group include:

  • 受保护用户全局安全组被复制到帐户域中的所有域控制器。The Protected Users global security group is replicated to all domain controllers in the account domain.

  • 默认情况下,Windows 8.1 和 Windows Server 2012 R2 已添加支持。Windows 8.1 and Windows Server 2012 R2 added support by default. Microsoft 安全公告 2871997添加了对 windows 7、windows Server 2008 R2 和 windows server 2012 的支持。Microsoft Security Advisory 2871997 adds support to Windows 7, Windows Server 2008 R2 and Windows Server 2012.

为受保护用户组的成员提供域控制器保护的要求包括:Requirements to provide domain controller protection for members of the Protected Users group include:

  • 用户必须位于 Windows Server 2012 R2 或更高版本的域功能级别的域中。Users must be in domains which are Windows Server 2012 R2 or higher domain functional level.

向底层域添加受保护的用户全局安全组Adding Protected User global security group to down-level domains

运行早于 Windows Server 2012 R2 的操作系统的域控制器可以支持将成员添加到新的受保护用户安全组。Domain controllers that run an operating system earlier than Windows Server 2012 R2 can support adding members to the new Protected User security group. 这允许用户在升级域之前从设备保护中获益。This allows the users to benefit from device protections before the domain is upgraded.


域控制器将不支持域保护。The domain controllers will not support domain protections.

可以通过将主域控制器 (PDC) 模拟器角色传输到运行 Windows Server 2012 R2 的域控制器来创建受保护的用户组。Protected Users group can be created by transferring the primary domain controller (PDC) emulator role to a domain controller that runs Windows Server 2012 R2. 将该组对象复制到其他域控制器后,PDC 模拟器角色可以托管在运行较早版本的 Windows Server 的域控制器上。After that group object is replicated to other domain controllers, the PDC emulator role can be hosted on a domain controller that runs an earlier version of Windows Server.

受保护用户组的 AD 属性Protected Users group AD properties

下表指定受保护的用户组的属性。The following table specifies the properties of the Protected Users group.

属性Attribute Value
已知 SID/RIDWell-known SID/RID S-1-5-21--525S-1-5-21--525
类型Type 域全局Domain Global
默认容器Default container CN=Users,DC=,DC=CN=Users, DC=, DC=
默认成员Default members NoneNone
默认成员Default member of NoneNone
移出默认容器是否安全?Safe to move out of default container? Yes
将此组的管理委派给非服务管理员是否安全?Safe to delegate management of this group to non-service admins? No
默认用户权限Default user rights 没有默认的用户权限No default user rights

受保护用户组的工作原理How Protected Users group works

本部分介绍在以下情况下受保护的用户组的工作原理:This section explains how the Protected Users group works when:

  • 已登录到 Windows 设备Signed in a Windows device

  • 用户帐户域在 Windows Server 2012 R2 或更高版本的域功能级别中User account domain is in a Windows Server 2012 R2 or higher domain functional level

受保护用户登录的设备保护Device protections for signed in Protected Users

当登录用户是受保护用户组的成员时,将应用以下保护:When the signed in user is a member of the Protected Users group the following protections are applied:

  • 即使启用了 "允许委派默认凭据" 组策略设置,凭据委托 (CredSSP) 也不会缓存用户的纯文本凭据。Credential delegation (CredSSP) will not cache the user's plain text credentials even when the Allow delegating default credentials Group Policy setting is enabled.

  • 从 Windows 8.1 和 Windows Server 2012 R2 开始,即使启用了 Windows Digest,Windows 摘要式也不会缓存用户的纯文本凭据。Beginning with Windows 8.1 and Windows Server 2012 R2, Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled.


安装Microsoft 安全公告 2871997后,Windows 摘要将继续缓存凭据,直到配置了注册表项。After installing Microsoft Security Advisory 2871997 Windows Digest will continue to cache credentials until the registry key is configured. 有关说明,请参阅Microsoft 安全公告:更新以改进凭据保护和管理:5月13日,2014See Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014 for instructions.

  • NTLM 不会缓存用户的纯文本凭据或 NT 单向功能 (NTOWF) 。NTLM will not cache the user's plain text credentials or NT one-way function (NTOWF).

  • Kerberos 将不再创建 DES 或 RC4 密钥。Kerberos will no longer create DES or RC4 keys. 此外,在获取初始 TGT 后,它不会缓存用户的纯文本凭据或长期密钥。Also it will not cache the user's plain text credentials or long-term keys after the initial TGT is acquired.

  • 在登录或解锁时不会创建缓存的验证程序,因此不再支持脱机登录。A cached verifier is not created at sign-in or unlock, so offline sign-in is no longer supported.

将用户帐户添加到受保护的用户组后,当用户登录到设备时,将开始保护。After the user account is added to the Protected Users group, protection will begin when the user signs in to the device.

受保护用户的域控制器保护Domain controller protections for Protected Users

作为对 Windows Server 2012 R2 域进行身份验证的受保护用户组的成员的帐户无法执行以下操作:Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:

  • 使用 NTLM 身份验证进行验证。Authenticate with NTLM authentication.

  • 在 Kerberos 预身份验证中使用 DES 或 RC4 加密类型。Use DES or RC4 encryption types in Kerberos pre-authentication.

  • 使用不受约束或约束的委派进行委派。Be delegated with unconstrained or constrained delegation.

  • 在超出最初的四小时生存期后续订 Kerberos TGT。Renew the Kerberos TGTs beyond the initial four-hour lifetime.

在受保护的用户组中为每个帐户建立 TGT 到期的非可配置设置。Non-configurable settings to the TGTs expiration are established for every account in the Protected Users group. 通常,域控制器基于域策略、“用户票证最长生存期”**** 和“用户票证续订的最长生存期”**** 设置 TGT 生存期和续订。Normally, the domain controller sets the TGTs lifetime and renewal, based on the domain policies, Maximum lifetime for user ticket and Maximum lifetime for user ticket renewal. 对于受保护的用户组,为这些域策略设置为 600 分钟。For the Protected Users group, 600 minutes is set for these domain policies.

有关详细信息,请参阅如何配置受保护的帐户For more information, see How to Configure Protected Accounts.


提供两个操作管理日志,以帮助对受保护用户的相关事件进行疑难解答。Two operational administrative logs are available to help troubleshoot events that are related to Protected Users. 这些新日志位于事件查看器中,默认情况下被禁用,并且位于 "应用程序和服务 Logs\Microsoft\Windows\Authentication" 下。These new logs are located in Event Viewer and are disabled by default, and are located under Applications and Services Logs\Microsoft\Windows\Authentication.

事件 ID 和日志Event ID and Log 描述Description


原因:客户端上的安全程序包不包含这些凭据。Reason: The security package on the client does not contain the credentials.

当该帐户是受保护的用户安全组的成员时,将在客户端计算机中记录错误。The error is logged in the client computer when the account is a member of the Protected Users security group. 此事件指示安全程序包不会缓存在对服务器进行身份验证时所需的凭据。This event indicates that the security package does not cache the credentials that are needed to authenticate to the server.

显示程序包名称、用户名、域名和服务器名称。Displays the package name, user name, domain name, and server name.



原因:安全程序包不会存储受保护用户的凭据。Reason: The security package does not store the Protected User's credentials.

将在客户端中记录信息性事件,以指示安全程序包不会缓存用户的登录凭据。An informational event is logged in the client to indicate that the security package does not cache the user's sign-in credentials. 预期结果是 Digest (WDigest)、凭据委派 (CredSSP) 和 NTLM 无法具有受保护用户的登录凭据。It is expected that Digest (WDigest), Credential Delegation (CredSSP), and NTLM fail to have sign-on credentials for Protected Users. 如果提示输入凭据,则仍然能够成功执行应用程序。Applications can still succeed if they prompt for credentials.

显示程序包名称、用户名和域名。Displays the package name, user name, and domain name.



原因:对于在受保护的用户安全组中的帐户,发生 NTLM 登录失败。Reason: An NTLM sign-in failure occurs for an account that is in the Protected Users security group.

在域控制器中记录错误,以指示 NTLM 身份验证失败,因为该帐户已是受保护用户安全组的成员。An error is logged in the domain controller to indicate that NTLM authentication failed because the account was a member of the Protected Users security group.

显示帐户名称和设备名称。Displays the account name and device name.



原因:DES 或 RC4 加密类型用于进行 Kerberos 身份验证,以及对于受保护用户安全组中的用户,发生登录故障。Reason: DES or RC4 encryption types are used for Kerberos authentication and a sign-in failure occurs for a user in the Protected User security group.

Kerberos 预身份验证失败,因为当该帐户是受保护用户安全组的成员时,不能使用 DES 和 RC4 加密类型。Kerberos preauthentication failed because DES and RC4 encryption types cannot be used when the account is a member of the Protected Users security group.

(AES 是可接受的。)(AES is acceptable.)



原因:对于受保护用户组的成员,已成功进行 Kerberos 票证授予票证 (TGT)。Reason: A Kerberos ticket-granting-ticket (TGT) was successfully issued for a member of the Protected User group.

其他资源Additional resources