Q: What's the purpose of the new Protected Users domain global group in Windows Server 2012 R2 Active Directory?

A: When a user account is added to the Protected Users group, a set of authentication protocol restrictions are applied to the account to better protect it against the compromise of its credentials during the authentication process. Microsoft recommends adding high-value accounts—such as server administrators—to the Protected Users group. The authentication protocol restrictions include the following:

  • A member of the Protected Users group can sign on only by using the Kerberos protocol. The account can't authenticate using NTLM, Digest Authentication, or CredSSP.
  • The Kerberos protocol won't use the weaker DES or RC4 encryption types during the Kerberos pre-authentication process.
  • The user's account can't be delegated through Kerberos constrained or unconstrained delegation.

For more details on this new security group, see the Microsoft TechNet article "Protected Users Security Group."