Collections
Deploying Active Directory
Security
Protected Users Group

Protected Users Group

The Protected Users group is a special group, added by Microsoft with the release of Windows Server 2012 R2 that enforces additional security requirements to protect accounts against authentication attacks. Its intended purpose is to primarily protect accounts which if compromised may provide wider access across the domain/forest.

In this article we’re going to add all accounts with Domain Admin access to the Protected Users group. This will limit the number of avenues malicious actors have available when attempting to exploit and gain access to these sensitive accounts.

ℹ️
If opting to add other types of accounts to the Protected Users group, its recommended that thorough testing be performed prior to production.

Lastly, as a precaution its recommended that at least one Domain Admin account remain outside of this group. This account should preferably be one that isn’t commonly used (a backup Domain Admin account for example).

Effects

If you’re wonder what security changes this group enacts, here is the list:

ℹ️
This list assumes a Windows Serer 2012 R2 domain function or higher.
  • Accounts cannot use NTLM for authentication.
  • Credential delegation (CredSSP) will not cache the user’s plain text credentials.
  • Windows Digest will not cache the user’s plain text credentials.
  • Kerberos will not cache the user’s plain text credentials.
  • Kerberos will no longer create DES or RC4 keys.
  • Kerberos pre-authentication will not use DES or RC4 ciphers.
  • Kerberos will not cache long-term keys after the initial TGT is acquired.
  • Kerberos TGTs cannot be renewed with a time-to-live (TTL) period of more than four hours.
  • A cached verifier is not created at sign-in or unlock, so offline sign-in is no longer supported.
  • Constrained and unconstrained delegation is blocked.

More Information

Configuration

To add a user and/or group to the Protected Users group, perform the following steps:

  1. Open Active Directory Users & Computers.
  2. Browse to the user/group you’d like added.
  3. Under the properties of the user/group browse to the Member Of tab.
  4. Search for and select the Protected Users security group.

As previously mentioned, ensure one Domain Admin account remains outside of the Protected Users group. This is an insurance policy incase an access issue occurs. The account that is excluded preferably is one that is not commonly used; a breakglass account for example.

Administrative Rights