Protected Users Group
What is the Protected Users Group
The Protected Users group is designed to help prevent credential theft for users that are the members of it by the implementation of restrictions that cannot be disabled or circumvented (the only way around these restrictions is to remove the user from the Protected Users group).
This makes it a great way to protect privileged accounts that have administrative permissions on critical/secure systems or a large numbers of systems.
Restrictions for Members of the Protected Users Group
Cannot authenticate using NTLM - must authenticate using Kerberos
Credentials are not cached on a client computer - you cannot login to a computer when it is offline or cannot reach a Domain Controller
TGTs expire after 4 hours and cannot be renewed - you must re-authenticate to get a new TGT
Prevents the use of weak cyphers (DES or RC4) for Kerberos encryption - must use AES
Cannot be delegated with unconstrained or constrained delegation
Protected Users at the University
The Protected Users group is being leveraged to address audit findings related to lateral account movement.
Protected Users Group Members in the Austin Domain
Domain Admins | Domain Admins (Enterprise Technology staff who administer/manage the domain) |
Department OU Admins (**coming soon**) | Department OU Admins will be added to the Protected Users group soon |
Department Users (**coming later**) | All Department Users (this will not include Department Service Accounts) |
Additional Users, By Request | Additional users can be added, by request. Departments may way to include users with administrative access across a large set of computers, such as server or workstation admins. Requests can be made on ad-requests@its.utexas.edu. When making this request, you should create a group that you manage the members of for this purpose - that way you can add/remove users as you want/need to. |
Related Topics - Info, Tips, and Troubleshooting for Members of Protected Users
Requesting a Security Exception for the Protected Users Group
A Security Exception must be requested from the ISO on https://isora.security.utexas.edu/#compliance in order to have a Department OU Admin removed from the Protected Users group.
Security exceptions can only last a year, so you must renew the exception every year that it is needed - otherwise, the user will automatically be added back to the Protected Users group when the exception expires.