Protected Users Group
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Secure Windows Server Infrastructure: Mastering the Protected Users Group
Introduction: The Critical Need for Identity Security
In the modern enterprise, Active Directory Domain Services (AD DS) serves as the backbone of identity and access management. It is the gatekeeper of your digital assets, and consequently, it is the primary target for malicious actors. Once an attacker gains a foothold in an environment, their primary objective is almost always to escalate privileges—moving from a standard user account to a Domain Admin or an account with equivalent power. One of the most common and effective ways to achieve this is through credential theft.
When a user logs into a Windows machine, the operating system caches credentials in memory. Attackers use tools to scrape this memory, extracting NTLM hashes or Kerberos tickets to perform "Pass-the-Hash" or "Pass-the-Ticket" attacks. If a high-privilege account is used on a compromised machine, the attacker can easily impersonate that user, moving laterally throughout the network with little resistance. This is where the Protected Users security group becomes an essential defensive tool.
The Protected Users group is a built-in security group introduced in Windows Server 2012 R2. It provides a non-configurable, automated layer of security for high-privileged accounts. Members of this group are subjected to strict, non-negotiable security policies that essentially harden their accounts against the most common methods of credential theft. Understanding how to use this group effectively is not just a best practice; it is a fundamental requirement for any administrator tasked with securing a Windows Server environment.
Understanding the Mechanics: How Protected Users Works
The Protected Users group works by enforcing specific restrictions on members whenever they authenticate. These restrictions are not optional; they are enforced at the Kerberos and NTLM protocol levels. When an account is added to this group, the domain controller and the local operating system change how they handle authentication requests for that user.
Key Security Enforcements
- NTLM Credential Delegation is Disabled: NTLM is an aging, inherently insecure protocol that is vulnerable to relay attacks. By disabling NTLM for Protected Users, you ensure that their credentials cannot be used to authenticate via legacy protocols, forcing the use of more secure Kerberos authentication.
- DES and RC4 Encryption Are Prohibited: Older encryption types like DES and RC4 are susceptible to brute-force and dictionary attacks. Protected Users are restricted to using only AES encryption for Kerberos tickets, which is significantly more difficult to crack.
- Restricted Kerberos Ticket Granting Ticket (TGT) Lifetime: By default, TGTs can last for up to 10 hours. For members of the Protected Users group, the TGT lifetime is reduced to a maximum of four hours. This significantly shortens the window of opportunity for an attacker to use a stolen ticket.
- Credential Delegation Restriction: Protected Users cannot have their credentials delegated to other machines. This prevents an attacker from using a "jump box" or a compromised server to hop to another machine using the user's delegated credentials.
- No Credential Caching: The operating system is instructed not to cache credentials in memory for members of this group. This makes it impossible for attackers to dump the credentials from the Local Security Authority (LSA) process, effectively neutralizing memory-scraping attacks.
Callout: Protected Users vs. Restricted Groups It is common to confuse the Protected Users group with the "Restricted Groups" GPO setting. While Restricted Groups are used to enforce membership of local groups on member servers (e.g., ensuring only the "Domain Admins" group is in the local "Administrators" group), the Protected Users group is a security policy container. Protected Users changes the behavior of how an account authenticates, whereas Restricted Groups manage membership.
Implementation: How to Deploy Protected Users
Implementing the Protected Users group is straightforward, but it requires careful planning to avoid breaking legitimate workflows. Because of the strict security policies, you should never add service accounts or users who rely on legacy applications directly into this group without testing.
Step-by-Step Configuration
- Identify High-Privilege Accounts: Start by auditing your environment to identify accounts that require protection. This includes Domain Admins, Enterprise Admins, Schema Admins, and any account with delegated administrative rights over critical infrastructure.
- Verify Domain Functional Level: Ensure your domain is running at a functional level of at least Windows Server 2012 R2. While the group exists in newer versions, the underlying Kerberos enforcement mechanisms require this functional level to operate correctly.
- Add Accounts to the Group: Open "Active Directory Users and Computers" (ADUC). Navigate to the "Users" container (or wherever you manage your groups). Locate the "Protected Users" group. Right-click the group, select "Properties," navigate to the "Members" tab, and add the desired user accounts.
- Test in a Staged Environment: Before applying this to production administrators, create a test user account, add it to the Protected Users group, and attempt to log in to various systems. Verify that legacy applications, scripts, or scheduled tasks that use this account do not fail.
Best Practices for Deployment
- Start Small: Never add all administrative accounts at once. Begin with a single account and monitor for any authentication issues or application errors.
- Documentation: Maintain a clear list of who is in the group and why. If an administrator suddenly cannot log in to an old legacy server, you need to know immediately that it is because they are a Protected User.
- Monitor for Errors: Use Event Viewer on your Domain Controllers to look for Kerberos authentication failures. These will often manifest as event IDs related to encryption type mismatches or authentication policy violations.
Note: Adding an account to the Protected Users group is an immediate change. There is no "grace period" or propagation delay beyond the standard Active Directory replication time. Once the domain controller receives the update, the security policies are enforced on the next authentication attempt.
Comparing Authentication Protocols and Security Levels
To understand why Protected Users is so effective, we must look at how it changes the authentication landscape.
| Feature | Standard User | Protected User | Impact |
|---|---|---|---|
| NTLM Support | Enabled | Disabled | Prevents NTLM relay and pass-the-hash |
| Kerberos Encryption | RC4, AES | AES Only | Prevents cracking of weak encryption |
| TGT Lifetime | 10 Hours | 4 Hours | Limits window for pass-the-ticket |
| Credential Caching | Enabled | Disabled | Neutralizes memory scraping |
| Delegation | Allowed | Denied | Prevents lateral movement |
As shown in the table, the transition from a standard user to a Protected User moves the account from a state of compatibility and convenience to a state of hardened security.
Common Pitfalls and Troubleshooting
Even with a simple configuration, administrators often encounter issues when implementing the Protected Users group. Understanding these common traps will save you significant downtime.
1. The "Legacy Application" Trap
Many organizations still run legacy applications that rely on NTLM or weaker encryption types. If you add an account used by a service or a scheduled task to the Protected Users group, that application will stop working immediately. The application will be unable to authenticate because the Domain Controller will refuse the NTLM request or the weak Kerberos request.
- Solution: Never place service accounts in the Protected Users group. Instead, use Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) and apply separate hardening policies.
2. The "Remote Desktop" Problem
Protected Users are restricted from using credential delegation. If an administrator uses Remote Desktop Protocol (RDP) to connect to a server and attempts to use their credentials to access a secondary resource (like a file share) from within that session, it will fail.
- Solution: Use "Restricted Admin" mode for RDP connections. This allows you to connect to a server without sending your credentials to the remote machine, which is a safer way to manage systems regardless of Protected Users status.
3. Domain Controller Communication
Sometimes, administrators attempt to add accounts to the Protected Users group but find that the changes do not take effect across all domain controllers. This is almost always an Active Directory replication issue.
- Solution: Use the
repadmin /showreplcommand to ensure your domain controllers are replicating correctly. If you have recently promoted a new domain controller, ensure it has the latest patches to support the authentication policy changes.
Warning: Never add a Domain Controller's computer account to the Protected Users group. Doing so will break the ability of the domain controller to replicate and communicate with other domain controllers. Only add user accounts (and potentially service-related user accounts if they meet specific criteria) to this group.
Advanced Implementation: PowerShell Automation
While ADUC is fine for a few accounts, you should automate the management of Protected Users in a large environment. PowerShell provides the necessary tools to manage group membership and audit the configurations effectively.
Adding Users via PowerShell
Using the ActiveDirectory module, you can quickly add a user to the group.
# Import the Active Directory module
Import-Module ActiveDirectory
# Define the user to be added
$UserSAM = "admin_john"
# Add the user to the Protected Users group
Add-ADGroupMember -Identity "Protected Users" -Members $UserSAM
# Verify the addition
Get-ADGroupMember -Identity "Protected Users" | Select-Object Name
Auditing Membership
It is vital to regularly audit who is in this group. You can create a simple script to alert you if an unauthorized user is added.
# Audit script to list all members of the Protected Users group
$Group = "Protected Users"
$Members = Get-ADGroupMember -Identity $Group
foreach ($Member in $Members) {
Write-Host "Account currently protected: $($Member.Name)"
}
This script can be scheduled as a daily task to export a list of members to a log file, allowing you to track changes over time and ensure that only intended accounts remain in the group.
The Role of Authentication Policies and Silos
While the Protected Users group is a great starting point, Windows Server 2016 and later introduced Authentication Policies and Authentication Silos. These are the "next generation" of the Protected Users group.
Authentication Policies allow you to:
- Define specific TGT lifetimes for different sets of users.
- Restrict where a user can authenticate (e.g., only from specific workstations).
- Enforce these policies at the account level rather than the group level.
Authentication Silos allow you to group users, computers, and services into a "silo" and apply policies specifically to that silo. This is much more flexible than the "one-size-fits-all" approach of the Protected Users group.
Callout: Protected Users vs. Auth Policies The Protected Users group is a static, global policy. Authentication Policies are dynamic and granular. If you find that the Protected Users group is too restrictive for your needs, or if you need to apply different levels of protection for different administrative tiers, you should migrate your strategy toward Authentication Policies and Silos.
Best Practices Checklist for Secure Identity
To ensure your Active Directory environment remains secure, follow these industry-standard practices:
- Tiered Administration: Implement the "Tiered Administration" model. Use separate accounts for administrative tasks, general email/browsing, and server management. Only the administrative accounts should ever be considered for the Protected Users group.
- Use gMSAs: For all service accounts, move away from standard user accounts. Use group Managed Service Accounts, which handle password rotation automatically and are not subject to the same credential caching issues as standard user accounts.
- Disable NTLM: In addition to using the Protected Users group, look into disabling NTLM entirely within your domain using Group Policy. This is a significant undertaking but is the gold standard for preventing NTLM-based attacks.
- Monitor Kerberos Traffic: Use tools to monitor for anomalies in Kerberos traffic, such as an unusual number of TGT requests or the use of weak encryption types.
- Regular Password Rotations: Even with Protected Users, ensure that your high-privilege accounts have strong, long, and frequently rotated passwords.
- Audit Logs: Enable Advanced Audit Policy configuration to monitor for "Success" and "Failure" events related to account logon and Kerberos service ticket requests.
Common Questions (FAQ)
Q: Can I add a computer account to the Protected Users group? A: No, the group is designed for user accounts. Adding a computer account will cause authentication failures for the services running on that machine, including critical system processes.
Q: If I add a user to the Protected Users group, will they still be able to log in to all their machines? A: They will be able to log in, but they will be subject to the restrictions. If they attempt to log in using an NTLM-only connection, or if the machine they are logging into does not support the required encryption levels, they will be blocked.
Q: How do I know if a user is being blocked by Protected Users? A: Check the Security Event Log on the Domain Controller. You will see Kerberos authentication failures (Event ID 4768 or 4769) that indicate an "encryption type" error or a "pre-authentication" failure.
Q: Does this group replace the need for multi-factor authentication (MFA)? A: No. Protected Users protects against specific protocol-based attacks. It does not protect against password spraying or phishing. MFA is a separate, critical layer of security that should be implemented alongside Protected Users.
Q: Is it safe to add the "Domain Admin" account to the Protected Users group? A: It is highly recommended. Because Domain Admin accounts are the primary targets for attackers, hardening them using the Protected Users group is one of the most effective ways to raise the cost of an attack on your network.
The Philosophy of "Assume Breach"
When working with identity security, you must adopt the "Assume Breach" mindset. This means you operate under the assumption that an attacker has already gained access to a low-privilege segment of your network. Your goal is not to prevent an attacker from entering—it is to prevent them from moving.
The Protected Users group is a critical tool in this effort. By removing the ability for an attacker to extract credentials from memory, you effectively "devalue" the accounts they manage to compromise. If an attacker gains access to a computer where a Protected User has logged in, they will find no usable credentials to steal. This forces the attacker to find other, more difficult ways to escalate their privileges, providing you with more time to detect and respond to the intrusion.
Security is not a destination; it is a continuous process of hardening and monitoring. The Protected Users group provides a strong foundation, but it must be supported by a comprehensive identity management strategy, including the principle of least privilege, regular auditing, and proactive threat hunting.
Summary and Key Takeaways
As we conclude this lesson, let us summarize the essential points you should carry forward into your administrative practice:
- Credential Theft is the Primary Threat: Attackers leverage memory-resident credentials to move laterally through your network. The Protected Users group is specifically designed to prevent this by disabling credential caching and restricting delegation.
- Protocol Hardening: The group enforces modern, secure protocols (like AES) and disables vulnerable legacy protocols (like NTLM and RC4), significantly reducing the surface area for authentication-based attacks.
- Reduced TGT Lifetime: By shortening the window of validity for Kerberos tickets, you limit the time an attacker has to use stolen credentials, even if they manage to acquire them.
- Operational Caution: Always test the inclusion of accounts in the Protected Users group. Never include service accounts, and be aware of how this impacts legacy applications and RDP sessions.
- Tiered Administration is Key: The Protected Users group is most effective when used as part of a broader Tiered Administration strategy. Focus on protecting your most privileged accounts first.
- Evolution to Policies: Recognize that while the Protected Users group is a static, global solution, Windows Server offers more granular control through Authentication Policies and Silos. As your environment grows, consider transitioning to these more flexible tools.
- Continuous Monitoring: Security is never "set and forget." Use PowerShell to audit membership regularly and monitor domain controller event logs for potential issues or signs of attempted exploitation.
By mastering the Protected Users group, you are taking a definitive step toward a more resilient and secure identity infrastructure. It is a powerful, built-in mechanism that, when used correctly, acts as a significant barrier against the most common and damaging cyber threats facing Windows Server environments today. Remember that the goal is to make the environment as "expensive" and difficult for an attacker as possible; implementing these protections is a primary way to achieve that objective.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons