Configuring and managing account and user security
One of the most important aspects of managing a hybrid identity model is that the user identity lifecycle is fully managed from account creation, through daily usage, to eventual account deletion. This holds true for both standard user accounts as well as system or service accounts. In this section, we will discuss the protection of accounts, users, credentials, and overall account security.
Managing protected users
Within every AD environment, there exists a default collection of highly privileged groups and accounts that are secured with an automatic service that enforces template permission policies on the group and accounts (via the AdminSDHolder object in AD), returning the object’s permissions back to defaults rather quickly. As they are well-known objects, they have this permission and service persistence no matter where the object is stored in AD. Such objects in AD are considered protected accounts and protected...
