From a5e56e0eb750d967ee17ed5dcc2fcb89e27c8855 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 17 May 2023 07:15:58 -0400 Subject: [PATCH] Update hello-hybrid-cloud-kerberos-trust.md --- .../hello-for-business/hello-hybrid-cloud-kerberos-trust.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index b012a97893..956957865f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -35,8 +35,9 @@ With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Wind When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object: - Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers -- Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object -- For Example, if the users belongs to local AD built-in groups that is part of "Denied RODC Password Replication Group". they won't be able to use Cloud trust deployment. +- Is only used by Azure AD to generate TGTs for the Active Directory domain. + > [!NOTE] + > The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object. For example, users that are direct or indirect members of the built-in security group *Denied RODC Password Replication Group* won't be able to use cloud Kerberos trust. :::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server ":::