Protected Users Group in Windows Server 2012 R2 Active Directory

Q: What's the purpose of the new Protected Users domain global group in Windows Server 2012 R2 Active Directory?

A: When a user account is added to the Protected Users group, a set of authentication protocol restrictions are applied to the account to better protect it against the compromise of its credentials during the authentication process. Microsoft recommends adding high-value accounts—such as server administrators—to the Protected Users group. The authentication protocol restrictions include the following:

  • A member of the Protected Users group can sign on only by using the Kerberos protocol. The account can't authenticate using NTLM, Digest Authentication, or CredSSP.
  • The Kerberos protocol won't use the weaker DES or RC4 encryption types during the Kerberos pre-authentication process.
  • The user's account can't be delegated through Kerberos constrained or unconstrained delegation.

For more details on this new security group, see the Microsoft TechNet article "Protected Users Security Group."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.