PRACTITIONER GUIDE | IDENTITY SECURITY
Practitioner GuideUpdated 9 min read

Windows Protected Users Security Group: How to Harden Privileged Accounts Against Credential Theft Without Complex Configuration

Five enforcements
Protected Users membership simultaneously enforces: no NTLM authentication, no Kerberos delegation, no credential caching, AES-only Kerberos encryption, and ticket lifetime capped to the maximum ticket lifetime policy (no renewal beyond that cap)
Server 2012 R2 PDC
is the minimum requirement. The PDC emulator must be running Windows Server 2012 R2 or later for Protected Users group membership to enforce the NTLM and Kerberos restrictions. Domain functional level does not need to be raised
No configuration required
beyond adding the account to the group. There is no Group Policy to configure, no registry setting to change, and no service to restart. The protections take effect on the account's next authentication
Domain accounts only
Protected Users protections apply only to domain accounts. Local accounts are not affected. Computer accounts should not be added to Protected Users -- it breaks Windows services that run as computer accounts

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Adding a privileged account to the Protected Users group is the single highest-leverage, lowest-complexity credential protection step available in Active Directory. It does not require Group Policy changes, registry edits, or service restarts. It immediately blocks the most common credential theft paths for that account: NTLM relay, Pass-the-Hash, credential caching on endpoints, and Kerberos delegation abuse. The tradeoff is compatibility -- accounts that rely on NTLM, credential caching (offline access), or Kerberos delegation will break. For tier 0 accounts (Domain Admins, krbtgt, ADFS service accounts), that tradeoff is almost always worth it.

What Protected Users Actually Enforces

Understanding each enforcement prevents surprises during deployment:

1. No NTLM authentication Members cannot authenticate using NTLM regardless of client or server NTLM settings. Any application, service, or authentication path that falls back to NTLM fails for Protected Users members. This is the most impactful compatibility constraint.

2. No credential caching Windows does not cache the credentials of Protected Users members on local machines. This means: if the account is used to log in to a laptop and the laptop loses connectivity to a DC, the user cannot log in. This is by design -- a stolen laptop does not contain a cached credential that can be extracted.

3. No Kerberos delegation Members cannot be configured for unconstrained or constrained Kerberos delegation. Any service that impersonates a Protected Users account via delegation receives an error.

4. AES-only Kerberos encryption Kerberos tickets for Protected Users members use only AES128 or AES256. RC4 (the cipher used in Kerberoasting because it has a known hash format) is not used. If an attacker Kerberoasts a Protected Users member's service ticket, they receive an AES-encrypted ticket -- significantly harder to offline crack than RC4.

5. Ticket lifetime and renewal TGTs for Protected Users are limited to the Maximum Ticket Lifetime (default 10 hours) and cannot be renewed. Standard domain users can renew Kerberos tickets for up to 7 days without re-authenticating.

Check current members:

Get-ADGroupMember -Identity 'Protected Users' -Recursive |
    Select-Object Name, SamAccountName, ObjectClass

Which Accounts to Add (and Which to Avoid)

Add immediately (tier 0 accounts):

  • Domain Admins members
  • Enterprise Admins members
  • Schema Admins members
  • krbtgt account (the Kerberos ticket-granting account)
  • ADFS service accounts
  • Azure AD Connect sync accounts (check NTLM usage first)
  • Your own admin account
  • Privileged Access Workstation (PAW) accounts

Add after testing (tier 1 accounts):

  • Server administrators
  • Backup operator accounts
  • PKI/CA administrator accounts
  • Virtualization administrator accounts

Do not add:

  • Computer accounts (breaks services running as the machine account)
  • Service accounts that use NTLM for authentication (breaks the service)
  • Service accounts configured for Kerberos delegation (breaks delegation)
  • Accounts used on offline/field laptops where cached credentials are needed for operation
  • The local Administrator account (Protected Users has no effect on local accounts)

Add a tier 0 account:

# Add a single account
Add-ADGroupMember -Identity 'Protected Users' -Members 'jsmith-admin'

# Add all current Domain Admins to Protected Users
Get-ADGroupMember -Identity 'Domain Admins' | ForEach-Object {
    Add-ADGroupMember -Identity 'Protected Users' -Members $_.SamAccountName
    Write-Host "Added: $($_.SamAccountName)"
}
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Troubleshoot Authentication Failures After Adding an Account

The most common failures after adding an account to Protected Users:

NTLM authentication failure:

Error: NTLM authentication is not allowed for user 'DOMAIN\username'
# Or: 'The user account is configured to prevent delegation'

Identify what is using NTLM: enable NTLM audit logging on DCs (Network Security: Restrict NTLM > Audit NTLM in this domain) and check Event ID 8004 (NTLM blocked) in the operational log.

Service account failure:

# Event ID 4769 on DC with Failure Code 0x12 or 0x18
# Or: Service fails to start with 'Logon failure: unknown user name or bad password'

If a service account is in Protected Users and the service uses NTLM, you must either remove the account from Protected Users or change the service to use Kerberos with an SPN.

Offline login failure: Users in Protected Users who cannot reach a DC at login receive: 'There are currently no logon servers available to service the logon request.' This is expected -- remove the account from Protected Users if offline access is required.

Delegation failure:

# Find services failing due to delegation blocked by Protected Users
# Event ID 4768/4769 on DC with result code 0x1D (KDC_ERR_BADOPTION)
# Or application event: 'The Kerberos client received a KRB_AP_ERR_BAD_INTEGRITY error'

Diagnostic command:

# Test if an account is affected by Protected Users
Get-ADUser 'jsmith-admin' -Properties MemberOf |
    Select-Object -ExpandProperty MemberOf |
    Where-Object { $_ -match 'Protected Users' }
# If this returns a DN, the account is in Protected Users

The bottom line

Protected Users group membership is the highest-return single action for tier 0 account protection in Active Directory. Add Domain Admins, Enterprise Admins, and the krbtgt account first. Test each addition by verifying the account can still authenticate to the systems it needs to access -- the only expected failures are services that depend on NTLM, delegation, or offline credential caching. Monitor the NTLM audit log on DCs after adding accounts to catch compatibility issues before they become outages.

Frequently asked questions

Does Protected Users protect against Pass-the-Hash?

Partially. Protected Users prevents the protected account from being used for NTLM authentication, which is the protocol used in Pass-the-Hash attacks. If an attacker steals an NTLM hash for a Protected Users member, they cannot authenticate using that hash via NTLM. However, if the attacker steals a valid Kerberos TGT or service ticket for the account (Pass-the-Ticket), they can still authenticate as that account for the lifetime of the ticket. Protected Users reduces the ticket lifetime, which limits the window of exposure, but does not eliminate Pass-the-Ticket.

Can the krbtgt account be added to Protected Users?

Yes. Microsoft explicitly recommends adding the krbtgt account to Protected Users. The krbtgt account does not authenticate interactively or via NTLM -- it is used exclusively by the KDC to sign Kerberos tickets. Adding it to Protected Users enforces AES-only encryption for krbtgt operations, which is a meaningful hardening step. There is no functional impact on normal Kerberos operations in environments running Windows Server 2012 R2 or later DCs.

Does Protected Users affect the account if the user logs in locally to a server?

Yes. The no-caching enforcement applies even for direct console or RDP logins to servers. Credentials for Protected Users members are not cached on the server they log in to. This means an attacker with SYSTEM access on a server cannot retrieve cached credentials for a Protected Users member even if that member previously logged in to the server. For administrators who use privileged accounts to log in directly to servers (which should be avoided via PAW architecture), the credential cache protection reduces the value of that server as a credential harvesting target.

How do I know which service accounts are safe to add to Protected Users?

The test is whether the service account uses NTLM or Kerberos delegation. Run NTLM audit logging for a week before adding any service account: Computer Configuration > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM > Audit NTLM authentication in this domain. Any account that appears in NTLM audit Event ID 8003/8004 is using NTLM and will break if added to Protected Users. Separately, query for accounts with delegation set: Get-ADUser -Filter {TrustedForDelegation -eq $true}. If the service account appears in either list, it is not safe to add without first changing the service configuration.

How does the Protected Users group affect RDP sessions and interactive logins?

Protected Users members can still perform RDP and interactive logins without any user-facing change. The enforcement is at the credential storage level, not the authentication flow. What changes behind the scenes: the credentials typed during RDP or console login are NOT cached in LSASS on the server being logged in to, NTLM authentication is blocked (so RDP must use Kerberos), and Kerberos ticket lifetimes are capped at 4 hours. The 4-hour ticket cap means users who leave RDP sessions open for extended periods may receive Kerberos reauthentication prompts after 4 hours. This is the most common user-visible impact and it is worth communicating to admin teams who use long-running RDP sessions.

Should senior executives and board members be added to the Protected Users group?

Yes -- high-value targets are exactly who Protected Users is designed for. Executives and board members are frequently targeted by spear-phishing and BEC because their credentials provide access to sensitive communications, financial approvals, and M&A information. Adding them to Protected Users blocks NTLM authentication for their accounts (forcing Kerberos on all internal access), prevents credential caching on systems they log in to, and reduces Kerberos ticket lifetimes. The practical prerequisite: verify that none of their accounts are used as service accounts or run scheduled tasks (these use NTLM or require delegation which Protected Users blocks). A service account for an executive's automation workflow is a common discovery during the compatibility assessment that must be resolved before adding the account. After adding, communicate to the executive's IT support team that NTLM-based access from legacy applications will fail and should be reported rather than worked around.

Sources & references

  1. Microsoft -- Protected Users Security Group
  2. Microsoft -- How to configure Protected Accounts

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.