Q: What's the purpose of the new Protected Users domain global group in Windows Server 2012 R2 Active Directory?
A: When a user account is added to the Protected Users group, a set of authentication protocol restrictions are applied to the account to better protect it against the compromise of its credentials during the authentication process. Microsoft recommends adding high-value accounts—such as server administrators—to the Protected Users group. The authentication protocol restrictions include the following:
- A member of the Protected Users group can sign on only by using the Kerberos protocol. The account can't authenticate using NTLM, Digest Authentication, or CredSSP.
- The Kerberos protocol won't use the weaker DES or RC4 encryption types during the Kerberos pre-authentication process.
- The user's account can't be delegated through Kerberos constrained or unconstrained delegation.
For more details on this new security group, see the Microsoft TechNet article "Protected Users Security Group."