Request to enable the assignment of decrypt permissions to multiple groups independently.
Currently, we can assign the decrypt permission to only one group.
In our case, this requires a universal group in our forest containing both domain admins and Tier 2 admins. However, combining these two roles into a single group poses a security risk, as it increases the potential for mismanagement. Best practices generally advise against merging such privileged administrative groups.
Because of this limitation we have disabled the new encryption feature.
What are your thoughts on this?
Thanks!
1 Comment
- JaySimmons
Microsoft
Status changed:NewtoNot at this timeHello Vico_Manolo -
Actually I considered this design option during initial development of Windows LAPS. Unfortunately, encrypting the password data against multiple SIDs causes the size of the encrypted data to bloat by a large factor. Allowing that to happen across large numbers of devices would obvious ly result in bloat of the AD database, and depending on other factors (pwd update frequency, eg) could also negatively impact AD replication performance. For these reasons this idea was rejected.
Jay
