使用者安全性群組受保護狀態Protected Users Security Group

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題適用於 IT 專業人員描述 Active Directory 安全性群組受保護的使用者,並解釋它的運作方式。This topic for the IT professional describes the Active Directory security group Protected Users, and explains how it works. Windows Server 2012 R2 網域控制站推出此群組。This group was introduced in Windows Server 2012 R2 domain controllers.

概觀Overview

此安全性群組的設計目的是計一部份來管理 credential 曝光企業中。This security group is designed as part of a strategy to manage credential exposure within the enterprise. 此群組成員自動可套用至帳號非可設定的保護。Members of this group automatically have non-configurable protections applied to their accounts. 保護 Users 群組成員資格是要限制,以及主動預設安全。Membership in the Protected Users group is meant to be restrictive and proactively secure by default. 修改這些系統的保護的唯一方式是移除 account 從安全性群組。The only method to modify these protections for an account is to remove the account from the security group.

警告

帳號服務和電腦應該不會受 Users 群組成員。Accounts for services and computers should never be members of the Protected Users group. 此群組想吧提供完整的保護,因為密碼或憑證都可以在主機上使用。This group would provides incomplete protection anyway because the password or certificate is always available on the host. 驗證將會失敗,錯誤 "the 使用者名稱或密碼 incorrect\」的服務或新增至受保護的使用者群組的電腦。Authentication will fail with the error "the user name or password is incorrect" for any service or computer that is added to the Protected Users group.

這個網域中相關、全域群組執行 Windows Server 2012 R2 的主要網域控制站觸發不可設定保護主機執行 Windows Server 2012 R2 和 Windows 8.1 的電腦上的裝置或更新版本的網域中的使用者。This domain-related, global group triggers non-configurable protection on devices and host computers running Windows Server 2012 R2 and Windows 8.1 or later for users in domains with a primary domain controller running Windows Server 2012 R2 . 當使用者登入以使用這些保護電腦,此大幅降低了認證的預設記憶體使用量。This greatly reduces the default memory footprint of credentials when users sign-in to computers with these protections.

如需詳細資訊,請查看的受保護的使用者如何群組運作本主題中。For more information, see How the Protected Users group works in this topic.

受保護的使用者群組需求Protected Users group requirements

提供的受保護的 Users 群組成員裝置保護的需求包括:Requirements to provide device protections for members of the Protected Users group include:

  • Account 網域中的所有網域控制站都複製保護使用者安全性的全域群組。The Protected Users global security group is replicated to all domain controllers in the account domain.

  • Windows 8.1 和 Windows Server 2012 R2 預設新增支援。Windows 8.1 and Windows Server 2012 R2 added support by default. Microsoft 安全性建議 2871997 Windows 7、Windows Server 2008 R2 和 Windows Server 2012 中新增支援。Microsoft Security Advisory 2871997 adds support to Windows 7, Windows Server 2008 R2 and Windows Server 2012.

為保護 Users 群組成員網域控制站保護的需求包括:Requirements to provide domain controller protection for members of the Protected Users group include:

  • 使用者必須在 Windows Server 2012 R2 或更高版本網域功能層級的網域。Users must be in domains which are Windows Server 2012 R2 or higher domain functional level.

向下層級的網域新增保護使用者安全性的全域群組Adding Protected User global security group to down-level domains

執行作業系統以前 Windows Server 2012 R2 網域控制站可支援新增新的受保護的使用者安全性群組成員。Domain controllers that run an operating system earlier than Windows Server 2012 R2 can support adding members to the new Protected User security group. 這可讓使用者網域升級之前受益保護裝置。This allows the users to benefit from device protections before the domain is upgraded.

注意

網域控制站將不支援網域保護。The domain controllers will not support domain protections.

您可以建立受保護的使用者群組傳輸主要網域控制站 (PDC) 模擬器角色執行 Windows Server 2012 R2 網域控制站。Protected Users group can be created by transferring the primary domain controller (PDC) emulator role to a domain controller that runs Windows Server 2012 R2. 其他網域控制站複製物件群組之後,可以在執行 Windows Server 的較舊版本的網域控制站裝載 PDC 模擬器角色。After that group object is replicated to other domain controllers, the PDC emulator role can be hosted on a domain controller that runs an earlier version of Windows Server.

受保護的使用者群組 AD 屬性Protected Users group AD properties

下表指定保護 Users 群組的屬性。The following table specifies the properties of the Protected Users group.

屬性Attribute 值。Value
已知的 SID RIDWell-known SID/RID S-1-5-21--525S-1-5-21--525
輸入Type 全球網域Domain Global
預設容器Default container DATA-CN = DC 的使用者,=、DC =CN=Users, DC=, DC=
預設成員Default members None
預設成員Default member of None
受 ADMINSDHOLDER 嗎?Protected by ADMINSDHOLDER? 否]No
將退出預設容器安全嗎?Safe to move out of default container? [是]Yes
委派管理此群組非服務系統管理員可以放心嗎?Safe to delegate management of this group to non-service admins? 否]No
預設的使用者權限Default user rights 無預設使用者權限No default user rights

保護 Users 群組的運作方式How Protected Users group works

本章節解釋保護 Users 群組的運作方式時:This section explains how the Protected Users group works when:

  • 登入 Windows 裝置Signed in a Windows device

  • 使用者 account 網域是在 Windows Server 2012 R2 或更高版本網域功能層級User account domain is in a Windows Server 2012 R2 or higher domain functional level

適用於裝置保護登入的受保護的使用者Device protections for signed in Protected Users

登入的使用者時的受保護的 Users 群組成員適下列保護:When the signed in user is a member of the Protected Users group the following protections are applied:

  • 認證委派 (CredSSP) 將不快取一般的使用者的認證即使允許將預設的認證委派可以使用群組原則設定。Credential delegation (CredSSP) will not cache the user's plain text credentials even when the Allow delegating default credentials Group Policy setting is enabled.

  • 開始使用 Windows 8.1 和 Windows Server 2012 R2、Windows 摘要將快取一般的使用者的認證即使讓 Windows 摘要。Beginning with Windows 8.1 and Windows Server 2012 R2, Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled.

注意

安裝之後Microsoft 安全性建議 2871997設定登錄鍵,直到摘要 Windows 將會繼續快取的認證。After installing Microsoft Security Advisory 2871997 Windows Digest will continue to cache credentials until the registry key is configured. 查看Microsoft 安全性建議:更新,以改善認證保護和管理:2014 年月 13 日的指示操作。See Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014 for instructions.

  • 一般的使用者的認證或 NT 單向函式 (NTOWF) NTLM 將快取。NTLM will not cache the user's plain text credentials or NT one-way function (NTOWF).

  • Kerberos 將不會再建立 DES 或 RC4 按鍵。Kerberos will no longer create DES or RC4 keys. 也它將會快取使用者的認證一般或長期按鍵之後,取得初始 TGT。Also it will not cache the user's plain text credentials or long-term keys after the initial TGT is acquired.

  • 快取的驗證器不會建立在登入或解除鎖定,因此不支援離線登入。A cached verifier is not created at sign-in or unlock, so offline sign-in is no longer supported.

使用者 account 新增至受保護的使用者群組之後,登入的裝置時,會開始保護。After the user account is added to the Protected Users group, protection will begin when the user signs in to the device.

保護使用者網域控制站保護Domain controller protections for Protected Users

Windows Server 2012 R2 網域驗證保護 Users 群組成員帳號無法︰Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:

  • 驗證 NTLM 驗證。Authenticate with NTLM authentication.

  • 用於 F:kerberos 預先驗證 DES 或 RC4 加密類型。Use DES or RC4 encryption types in Kerberos pre-authentication.

  • 使用未限制或限制委派委派。Be delegated with unconstrained or constrained delegation.

  • 續約超過四小時的時間初始期間 Kerberos Tgt。Renew the Kerberos TGTs beyond the initial four-hour lifetime.

Tgt 到期日非可設定的設定建立的每個 account 保護 Users 群組。Non-configurable settings to the TGTs expiration are established for every account in the Protected Users group. 網域控制站一樣,會將 Tgt 期間和續約,根據網域的原則,的最大值期間使用者票證使用者票證更新的最大值期間Normally, the domain controller sets the TGTs lifetime and renewal, based on the domain policies, Maximum lifetime for user ticket and Maximum lifetime for user ticket renewal. 「受保護的使用者群組中,這些網域原則設定 600 分鐘。For the Protected Users group, 600 minutes is set for these domain policies.

如需詳細資訊,請查看設定保護帳號如何For more information, see How to Configure Protected Accounts.

疑難排解Troubleshooting

有兩個操作管理登了可幫助疑難排解受保護的使用者相關的活動。Two operational administrative logs are available to help troubleshoot events that are related to Protected Users. 這些新登位於事件檢視器都預設停用,並位於的應用程式與服務 Logs\Microsoft\Windows\Microsoft\AuthenticationThese new logs are located in Event Viewer and are disabled by default, and are located under Applications and Services Logs\Microsoft\Windows\Microsoft\Authentication.

事件 ID 和登入Event ID and Log 描述Description
104104

ProtectedUser 工作ProtectedUser-Client
理由:上 client security 套件不包含認證。Reason: The security package on the client does not contain the credentials.

這個錯誤是登入 client 電腦中 account 時的受保護的使用者安全性群組成員。The error is logged in the client computer when the account is a member of the Protected Users security group. 此事件表示安全性套件不會快取會需要驗證伺服器的憑證。This event indicates that the security package does not cache the credentials that are needed to authenticate to the server.

顯示套件名稱、使用者名稱、網域名稱和伺服器的名稱。Displays the package name, user name, domain name, and server name.
304304

ProtectedUser 工作ProtectedUser-Client
理由:安全性套件不會儲存受保護的使用者的認證。Reason: The security package does not store the Protected User's credentials.

事件資訊被登入 client 指出安全性套件不會快取使用者的認證登入。An informational event is logged in the client to indicate that the security package does not cache the user's sign-in credentials. 它會如預期般摘要 (WDigest)、認證委派 (CredSSP),以及 NTLM 無法登入認證的受保護的使用者。It is expected that Digest (WDigest), Credential Delegation (CredSSP), and NTLM fail to have sign-on credentials for Protected Users. 如果他們提示您輸入認證,仍然可以成功應用程式。Applications can still succeed if they prompt for credentials.

顯示套件名稱、使用者名稱和網域名稱。Displays the package name, user name, and domain name.
100100

ProtectedUserFailures-DomainControllerProtectedUserFailures-DomainController
理由:帳號保護使用者安全性群組中的發生 NTLM 登入失敗。Reason: An NTLM sign-in failure occurs for an account that is in the Protected Users security group.

錯誤被登入網域控制站表示 NTLM 驗證失敗 account 因為的受保護的使用者安全性群組成員。An error is logged in the domain controller to indicate that NTLM authentication failed because the account was a member of the Protected Users security group.

顯示 account 名稱及裝置的名稱。Displays the account name and device name.
104104

ProtectedUserFailures-DomainControllerProtectedUserFailures-DomainController
理由:DES 或 RC4 加密類型用於 F:kerberos 驗證,發生保護使用者安全性群組中的使用者登入失敗。Reason: DES or RC4 encryption types are used for Kerberos authentication and a sign-in failure occurs for a user in the Protected User security group.

Kerberos 預先驗證失敗,因為的受保護的使用者安全性群組成員 account 時無法使用 DES 和 RC4 加密類型。Kerberos preauthentication failed because DES and RC4 encryption types cannot be used when the account is a member of the Protected Users security group.

(好一段是接受)。(AES is acceptable.)
303303

ProtectedUserSuccesses-DomainControllerProtectedUserSuccesses-DomainController
理由:的受保護的使用者群組成員成功發出 Kerberos 票證授與-票 (TGT)。Reason: A Kerberos ticket-granting-ticket (TGT) was successfully issued for a member of the Protected User group.

其他資源Additional resources