How to defend against Mimikatz attacks using Active Directory

1. disable wdigest:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
Key: UseLogonCredential REG_Dword set to 0
2. LSASS to run as protected process:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Key: RunAsPPL set to 1
3. Limit Credential Cache:
Computer Configuration/Windows Settings/Local Policy/Security Options/Interactive Logon: Number of previous logons to cache set to 0
4. disable access to group policy editor on the local machines:
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Object Editor.