Update hello-hybrid-cloud-kerberos-trust.md

"Denied RODC Password Replication Group"
2025-05-14 06:17:22 +00:00 · 2023-05-16 10:34:43 -04:00 · 2023-05-16 10:34:43 -04:00 · 33d698f652
commit 33d698f652
parent f62d2aa976
1 changed files with 2 additions and 1 deletions
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@ -36,6 +36,7 @@ When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Ke

 - Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
 - Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object
+- For Example, if the users belongs to local AD built-in groups that is part of "Denied RODC Password Replication Group". they won't be able to use Cloud trust deployment.

 :::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server ":::

@ -88,4 +89,4 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou
 [SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services

 [SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e
-[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f
+[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f