Machines in AD (domain) do cache domain user credentials in default, and I like this behaviour, not only because it is especially useful in case of laptops. The number of last logons to be cached might be easily changed via GPO.
BUT, here is the thing. I am looking for a way how to disallow the domain administrators' password to be cached on any computer in the network. The reason I want this is malware – we do not want to have whole domain compromised just because of one infected machine, right?!
Question 1:
How to properly disable credentials caching just for domain administrator users (and let it be enabled for normal "authenticated users") in GPO?
I believe it shall be achieved by setting Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container\Interactive logon: Number of previous logons to cache (in case domain controller is not available) to 0
But I haven't figured out how to successfully apply it for domain administrators only 🙁
—
Question 2:
Also… I am aware I need to set password/credentials policies in the "Default Domain Policy" GPO branch only to actually allow them to be active/performed? But …Is this the only exception? Which policies are those to have this exception? Is it whole "Security Settings" branch? Or just some of its sub branches? Or something else? How is it indicated in the Group Policy Management console?
Using Windows Server 2012R2
Best Answer
If your domain's functional level is Windows Server 2012 R2 or higher and your client machines are Windows 8.1 or newer, you can afford selected users additional protection by adding them to the Protected Users group.
Caution! Make sure not all privileged accounts are made members of Protected Users before you've finished testing the change. It's possible to lock yourself out under some circumstances (further reading).
In response to your second question: the policies that must be applied to domain controllers are the ones that affect the accounts database and authentication. For example, password policies must be enforced on a domain controller because it doesn't make sense for a single workstation to be managing credentials for a domain account. The Server Fault answer linked by Twisty in the comments is helpful.