The Protected Users group is a security group in Windows that was introduced in Windows Server 2012 R2 and Windows 8.1. It is designed to provide an additional layer of security for user accounts that require extra protection against credential theft and similar attacks.
Membership in the Protected Users group provides the following security benefits:
- Credential caching is disabled: When a user logs in, their credentials are not cached on the local computer or any domain controller. This makes it harder for an attacker to obtain and reuse those credentials.
- NTLM authentication is disabled: The use of the older and less secure NTLM authentication protocol is disabled for members of the Protected Users group, forcing the use of Kerberos or other more secure authentication protocols.
- Enhanced encryption for Kerberos tickets: Members of the Protected Users group receive enhanced encryption for their Kerberos tickets, making them harder to decrypt and forge.
Membership in the Protected Users group is designed for user accounts that require a high level of protection, such as administrative or service accounts. It is important to note that some applications and services may not be compatible with the additional security measures enforced on members of the Protected Users group, so careful testing and planning is required before adding users to this group.