Active Directory · Term

What is the Protected Users group?

The Protected Users group applies a set of strong Kerberos and credential protections to its members automatically, shrinking what an attacker can do with a privileged account. Here is what it is and what it changes.

Active Directory · TermAll services
TL;DR

Protected Users is a built-in Active Directory security group that applies non-negotiable credential protections to its members: it blocks NTLM authentication, disables weak RC4 and DES Kerberos encryption, prevents the account from being delegated, and stops credentials from being cached on machines. The effect is to shrink the attack surface of privileged accounts, blunting Pass-the-Hash, delegation abuse, and credential theft, with the trade-off that members must use Kerberos-compatible, modern access paths.

By John Dill, Red Team Lead, SecureLayer7Updated

What the Protected Users group is

Privileged accounts are the most valuable targets, so Active Directory provides a group that hardens them automatically. Adding a user to Protected Users enforces several protections at once, with no per-machine configuration:

  • No NTLM: members can only authenticate with Kerberos.
  • No weak Kerberos crypto: RC4 and DES are refused, only AES is used.
  • No delegation: the account cannot be delegated (constrained or unconstrained).
  • No credential caching: the account’s credentials are not cached on the machines it logs in to, and it gets shorter ticket lifetimes.

What it blunts

Each protection removes an attacker technique for that account:

  • Pass-the-Hash is hindered because NTLM is off and credentials are not cached on workstations to harvest.
  • Delegation abuse (unconstrained, constrained, RBCD) cannot target the account, because it cannot be delegated.
  • Kerberoasting/AS-REP weaknesses shrink because weak RC4 is refused.
  • Pass-the-Ticket windows shorten due to reduced ticket lifetimes.

The trade-off is real: members lose NTLM, unconstrained delegation, and caching, so accounts that depend on legacy access need testing before being added.

How to use it

  • Add Tier 0 and other highly privileged accounts to Protected Users, after validating they do not depend on NTLM, delegation, or credential caching.
  • Combine with Credential Guard and LAPS for layered protection.
  • Do not add service accounts blindly, since many rely on the very features the group disables.
  • Confirm a modern, Kerberos-only access path for every member.
  • Review membership regularly as privileged accounts change.

References

  1. [1]MITRE ATT&CK Enterprise Matrix(MITRE)
  2. [2]Microsoft: Kerberos Authentication Overview(Microsoft)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.