AD protected users group:

WARNING – protected users group:

If your high privilege account is member of this group, you can experience behavior, like access denied; invoke-command or winrm failures, PowerShell get-executionpolicy…

Being member of this group remove NTLM or CredSSP…

Members of the Protected Users group who are signed-on to Windows 8.1 devices and Windows Server 2012 R2 hosts can no longer use:

  • Default credential delegation (CredSSP) – plaintext credentials are not cached even when the Allow delegating default credentials policy is enabled
  • Windows Digest – plaintext credentials are not cached even when they are enabled
  • NTLM – NTOWF is not cached
  • Kerberos long term keys – Kerberos ticket-granting ticket (TGT) is acquired at logon and cannot be re-acquired automatically
  • Sign-on offline – the cached logon verifier is not created

If the domain functional level is Windows Server 2012 R2 , members of the group can no longer:

  • Authenticate by using NTLM authentication
  • Use Data Encryption Standard (DES) or RC4 cipher suites in Kerberos pre-authentication
  • Be delegated by using unconstrained or constrained delegation
  • Renew user tickets (TGTs) beyond the initial 4-hour lifetime


ex: set-adfssslcertificate cmdlet return access denied error