Protected Users Security Group in Active Directory

Protected Users Security Group in Active Directory

Windows Server 2012 R2 introduced several new technologies designed to help protect privileged credentials, which includes the Active Directory Protected Users group. New or existing users can be added to this global security group and prevents Windows 8.1 and Windows Server 2012 R2 devices from caching users’ credentials, providing additional protection against password theft.

Before going into the topic let’s learn something about the Latest Release of Windows Server 2016

When a user account is added to the Protected Users group, a set of authentication protocol restrictions are applied to the account to better protect it against the compromise of its credentials during the authentication process. Microsoft recommends adding high-value accounts—such as server administrators—to the Protected Users group.

Protected Users Security Group

Users logged in to devices that support Protected Users are prevented from using:

  • Cached credentials. For example, users cannot log in offline when there is no access to a domain controller.
  • The Kerberos ticket-granting ticket (TGT) must be received when users log in and cannot be reissued automatically, preventing the use of long term keys.
  • Default credential delegation (CredSSP), which stops credentials from being cached in plain text even if the Allow delegating default credentials policy is set.
  • Windows Digest authentication.
  • NT LanManager (NTLM) NTOWF, which is a function for generating keys based on user passwords.

Furthermore, if the domain functional level is Windows Server 2012 R2 or higher, Protected Users cannot:

  • Renew Kerberos ticket-granting tickets longer than the original four-hour TTL.
  • Log in using NTLM.
  • Use DES or RC4 for Kerberos pre-authentication.
  • Be delegated using constrained or unconstrained delegation.

For more details on this new security group, see the Microsoft TechNet article “Protected Users Security Group.”

Here are the Links to complete Details about the Active Directory concepts and installations procedures.

Hope this post is usefull for you guys..! Please don’t forget to Leave your comment.


Check Also

Active Directory Users and Computers

Active Directory Users And Computers

In this post will see about the basics of Active Directory Users and Computers, what …


  1. This post is very useful thanks for sharing..!

  2. You’ve got a great blog here! would you like to make some invite posts on my site?

  3. Thank you for giving the information. It will help me lot.

  4. It’s challenging to locate well-informed folks on this matter,
    but you sound like you know what you’re
    talking about! Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »