Department User Accounts Added to Protected Users Group Email
Enterprise Technology (ET) sent the following email to it-updates@utlists.utexas.edu on May 13, 2026.
ACTION REQUIRED: Update AD LDAP server for non-EID user applications by June 16, 2026
If you do not log in with a non-EID account e.g., DEPTCODE-EID, or you do not manage an application that authenticates users with non-EID accounts against Austin Active Directory, you may ignore this message.
Enterprise Technology (ET) has initiated a project to address a Privileged Access Management (PAM) audit finding identified by Internal Audits in May 2022. The audit noted that the University lacked a centralized PAM solution to secure privileged account credentials. The associated risk was long-lived exposure of privileged credentials, particularly through cached credentials that could be exploited if compromised.
To remediate this finding, ET and the UT Information Security Office (UTISO) selected Microsoft Active Directory’s built-in Protected Users security group as the technical solution. Remediation actions may affect users authenticating with non-EID departmental accounts.
WHAT IS CHANGING
Department user accounts in Austin Active Directory will be added to the Protected Users group on June 16, 2026. A department user account is any non-service, non-EID user account created in the Department User Tools. After this change takes effect, these accounts will no longer be able to authenticate against the Austin Active Directory via either NTLM or LDAP simple bind.
To support applications that require LDAP simple bind authentication against Active Directory, the Active Directory team has implemented an Active Directory Lightweight Directory Services (AD LDS) environment, ldap.austin.utexas.edu.
Department service accounts will NOT be impacted by this change, nor will authentication against TED, entdir.utexas.edu.
WHEN
You must act prior to June 16, 2026.
ACTION REQUIRED
Applications that authenticate department user accounts with LDAP against the Austin Active Directory must ensure that the application is updated with the new AD LDS server name prior to June 16, 2026.
Application owners must:
Replace any instance of “directory.austin.utexas.edu” or “austin.utexas.edu” with the new AD LDS server name, “ldap.austin.utexas.edu”
Validate that your application continues to work as expected
Reach out to the Active Directory team if your use case is not captured here or if you have other questions.
ADDITIONAL INFORMATION
This approach mitigates credential theft risks by preventing privileged credentials from being cached or stored on Windows and macOS endpoints. However, a key technical constraint of Protected Users is that member accounts cannot authenticate using LDAP simple binds and must rely on Kerberos.
To support applications that require LDAP simple bind authentication without reintroducing credential caching risks, the Active Directory team implemented the AD LDS environment. This proxies simple bind authentication for users in the Protected Users group as Kerberos authentication requests against Active Directory.
TIMELINE
Prior to June 16, 2026
If an application has users that authenticate with non-EID accounts against Austin AD, application owners must ensure that their applications point to “ldap.austin.utexas.edu.”
June 16, 2026 – 2:00 PM
Every non-EID user will be placed into the Protected Users (PU) group
Application owners: test if your non-EID users can authenticate
If they can’t, ensure that you are pointing to “ldap.austin.utexas.edu.”
If you are pointing to the correct AD directory and your users cannot connect, contact the AD team.
June 16 – July 28, 2026
Testing, confirmations, rollbacks, and reinstatements
If there are issues, the changes will be rolled back and attempted each Tuesday at 2:00 PM until July 28, 2026:
June 23, 2026
June 30, 2026
July 7, 2026
July 14, 2026
July 21, 2026
July 28, 2026
Final migration. No rollbacks or exceptions after this date.
QUESTIONS?
If you have questions, please contact the Active Directory team via ad-requests@austin.utexas.edu.