Skip to main content
Support
Intermediate

Protected Users & Authentication Policies

The Protected Users group and Authentication Policies are built-in AD features that harden Kerberos and block the most common credential attack techniques for sensitive accounts.

Active Directory has a special built-in group called Protected Users. When you add an account to this group, Windows automatically enforces several security restrictions: the account can only use Kerberos (NTLM is blocked), its credentials are never cached on workstations, Kerberos delegation is disabled, and only strong AES encryption is used. This single group membership blocks Pass-the-Hash, credential caching theft, delegation abuse, and Kerberoasting (since RC4 is disabled). Authentication Policies go further by controlling WHERE and HOW accounts can authenticate — you can restrict a Domain Admin account so it can only get a Kerberos ticket when authenticating from a specific PAW.

When a head of state visits a building, they do not use the same entrance as everyone else. They have an armored vehicle, a swept route, and bodyguards who enforce strict protocols — no handshakes with strangers, no unvetted rooms, no public exposure. The Protected Users group is like enrolling your VIP accounts in this protocol: AD automatically enforces stricter authentication rules, blocks dangerous legacy protocols, and prevents credential caching — all without the admin having to configure each protection individually.

Key Takeaways

  1. Protected Users blocks NTLM, disables delegation, forces AES-only Kerberos, and prevents credential caching.
  2. A single group membership neutralizes Pass-the-Hash, delegation abuse, and several credential theft techniques.
  3. Authentication Policies restrict WHERE accounts can authenticate (e.g., only from PAWs).
  4. All Tier 0 accounts (Domain Admins, service accounts for DCs) should be in Protected Users.
  5. Test with audit mode first — Protected Users breaks NTLM-dependent applications.
Why Should I Care?

Protected Users is one of the highest-impact, lowest-effort defenses in AD. Adding Tier 0 accounts to this group instantly eliminates multiple attack techniques that would otherwise require extensive configuration to block individually.

Related Topics

Pass-the-Hash & Pass-the-TicketKerberos Delegation AbuseKerberoasting Deep DiveTiered Administration Model
Sources
LAPS & Credential Guard
KRBTGT Account Management
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org