Protected Users Group

[ 1 What is the Protected Users Group ] [ 2 Restrictions for Members of the Protected Users Group ] [ 3 Protected Users at the University ] [ 4 Protected Users Group Members in the Austin Domain ] [ 5 Related Topics - Info, Tips, and Troubleshooting for Members of Protected Users ] [ 6 Requesting a Security Exception for the Protected Users Group ] [ 7 Additional Information ]

What is the Protected Users Group

The Protected Users group is designed to help prevent credential theft for users that are the members of it by the implementation of restrictions that cannot be disabled or circumvented (the only way around these restrictions is to remove the user from the Protected Users group).

This makes it a great way to protect privileged accounts that have administrative permissions on critical/secure systems or a large numbers of systems.

Restrictions for Members of the Protected Users Group

Cannot authenticate using NTLM - must authenticate using Kerberos
Credentials are not cached on a client computer - you cannot login to a computer when it is offline or cannot reach a Domain Controller
TGTs expire after 4 hours and cannot be renewed - you must re-authenticate to get a new TGT
Prevents the use of weak cyphers (DES or RC4) for Kerberos encryption - must use AES
Cannot be delegated with unconstrained or constrained delegation

Protected Users at the University

The Protected Users group is being leveraged to address audit findings related to lateral account movement.

Protected Users Group Members in the Austin Domain

Group Members	Member Details

Group Members

Member Details

Domain Admins

Domain Admins (Enterprise Technology staff who administer/manage the domain)

Department User Accounts

These are User Accounts that are created/managed in the Department User Tools; Department Service Accounts are not included.

STATUS UPDATES

June 16, 2:20 PM: Department User Accounts were added
June 17, 11:20 AM: Department User Accounts were removed
- Reported issues with vCenter connections.
June 23, 2 PM: Department User Accounts added to the PU Group.
- NOTE: vCenter users exempted while vCenter remediation continues.

TIMELINE:
Part of the email sent to IT Updates on May 13, 2026

June 16, 2026 – 2:00 PM
- Every non-EID user will be placed into the Protected Users (PU) group
- Application owners: test if your non-EID users can authenticate
  - If they can’t, ensure that you are pointing to “ldap.austin.utexas.edu.”
  - If you are pointing to the correct AD directory and your users cannot connect, contact the AD team via ad-requests@austin.utexas.edu.
- If everything works as expected, the changes will remain and future timeline dates will not be needed.
June 23 - July 28, 2026 (on Tuesdays)
- If there are issues, the changes will be rolled back and attempted each Tuesday at 2:00 PM until July 28:
  - June 23, 2026 - 2:00 PM
  - June 30, 2026 - 2:00 PM
  - July 7, 2026 - 2:00 PM
  - July 14, 2026 - 2:00 PM
  - July, 21, 2026 - 2:00 PM
July 28 - 2:00 PM
- Final migration. No rollbacks after this date.
- Users may need to request an exception to avoid having non-EID department user account moved to the PU group.

Requesting a Security Exception for the Protected Users Group

A Security Exception must be requested from the ISO on https://isora.security.utexas.edu/#compliance in order to have a Department User removed from the Protected Users group.

Security exceptions can only last a year, so you must renew the exception every year that it is needed - otherwise, the user will automatically be added back to the Protected Users group when the exception expires.

Additional Information

Protected Users Security Group in Windows Server