Bug Description
Since windows 2012r2 there's a group called Protected Users that, when added to the user adds some security restrictions. It's recommended that the admins are part of this group (since they're not supposed to be running regular software)
The Test-PasswordQuality is adding those users in the block "These administrative accounts (current or former ones) are allowed to be delegated:"
Documentation
Steps to Reproduce
- Member of admin group
- Member of protected users group
- Not having checked the "Account is sensitive and cannot be delegated" setting
Expected Behavior
Account should be safe from Delegation attacks, so there shouldn't be any warnings in the block "These administrative accounts (current or former ones) are allowed to be delegated"
Actual Behavior
Users in the protected group are in the warning
Stack Trace
DSInternals Module Version
6.4
PowerShell Version
7.5.4
Operating System
Microsoft Windows Server 2025 Datacenter
Target Domain Controller Version
Microsoft Windows Server 2025 Datacenter
Processor Architecture
x64
Checklist
Bug Description
Since windows 2012r2 there's a group called Protected Users that, when added to the user adds some security restrictions. It's recommended that the admins are part of this group (since they're not supposed to be running regular software)
The Test-PasswordQuality is adding those users in the block "These administrative accounts (current or former ones) are allowed to be delegated:"
Documentation
Steps to Reproduce
Expected Behavior
Account should be safe from Delegation attacks, so there shouldn't be any warnings in the block "These administrative accounts (current or former ones) are allowed to be delegated"
Actual Behavior
Users in the protected group are in the warning
Stack Trace
DSInternals Module Version
6.4
PowerShell Version
7.5.4
Operating System
Microsoft Windows Server 2025 Datacenter
Target Domain Controller Version
Microsoft Windows Server 2025 Datacenter
Processor Architecture
x64
Checklist