deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 13:53:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add note about Quota

Browse Source 
changed note location as requested by mapalko
This commit is contained in:
VLG17
2020-09-07 10:30:52 +03:00
committed by GitHub
parent 821194a240
commit 3a5c7ce0fd
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -145,6 +145,9 @@ Windows Server 2012 or later domain controllers support Group Managed Service Ac
GMSA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GMSA. Before you can create a GMSA, you must first create a root key for the service. You can skip this if your environment already uses GMSA. GMSA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GMSA. Before you can create a GMSA, you must first create a root key for the service. You can skip this if your environment already uses GMSA.
>[!NOTE]
> If the [default object creation quota for security principles](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/d55ca655-109b-4175-902a-3e9d60833012) is set, you will need to change it for the Group Managed Service Account in order to be able to register new devices.
#### Create KDS Root Key #### Create KDS Root Key
Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
@ -152,9 +155,6 @@ Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
1. Start an elevated Windows PowerShell console. 1. Start an elevated Windows PowerShell console.
2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`. 2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`.
>[!NOTE]
> If the [default object creation quota for security principles](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/d55ca655-109b-4175-902a-3e9d60833012) is set, you will need to change it for the Group Managed Service Account in order to be able to register new devices.
### Windows Server 2008 or 2008 R2 Domain Controllers ### Windows Server 2008 or 2008 R2 Domain Controllers
Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis. Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis.