Protected Users Group
What is the Protected Users Group
The Protected Users group is designed to help prevent credential theft for users that are the members of it by the implementation of restrictions that cannot be disabled or circumvented (the only way around these restrictions is to remove the user from the Protected Users group).
This makes it a great way to protect privileged accounts that have administrative permissions on critical/secure systems or a large numbers of systems.
Restrictions for Members of the Protected Users Group
Cannot authenticate using NTLM - must authenticate using Kerberos
Credentials are not cached on a client computer - you cannot login to a computer when it is offline or cannot reach a Domain Controller
TGTs expire after 4 hours and cannot be renewed - you must re-authenticate to get a new TGT
Prevents the use of weak cyphers (DES or RC4) for Kerberos encryption - must use AES
Cannot be delegated with unconstrained or constrained delegation
Protected Users at the University
The Protected Users group is being leveraged to address audit findings related to lateral account movement.
Protected Users Group Members in the Austin Domain
Group Members | Member Details |
|---|---|
Domain Admins | Domain Admins (Enterprise Technology staff who administer/manage the domain) |
Department User Accounts | Will be added on Jun 16, 2026 These are User Accounts that are created/managed in the Department User Tools; Department Service Accounts are not included. |
Additional Users, By Request | Additional users can be added, by request, until all users have been added. (Useful if you want to test something as a member of Protected User before Jun 16, 2026.) Requests can be made on ad-requests@its.utexas.edu. When making this request, you should create a group that you manage the members of for this purpose - that way you can add/remove users as you want/need to. |
Related Topics - Info, Tips, and Troubleshooting for Members of Protected Users
Requesting a Security Exception for the Protected Users Group
A Security Exception must be requested from the ISO on https://isora.security.utexas.edu/#compliance in order to have a Department OU Admin removed from the Protected Users group.
Security exceptions can only last a year, so you must renew the exception every year that it is needed - otherwise, the user will automatically be added back to the Protected Users group when the exception expires.