Microsoft introduced a new security group named “Protected Users Group” with Server 2012 R2 and windows 8.1 clients to offer additional protections against the credential theft/compromise and help in your overall mitigation plan for Pass of the Hash (PtH) attack. Its highly recommended to add all your service and high privileged accounts to this group for more protection.
For more information on this Security group, please check the below link.
Microsoft Published two documents (Version 1 & 2) explaining in details the Pass of Hash Attack and possible mitigation, i would highly advice downloading these documents from the below link
Back to our main post, we had a scenario with some companies adding their main critical service accounts and admin accounts in the Protected Users Group. Some of these accounts (not all of them) reported that they were not able to log in to their local machines or remotely to any server whether its 2008 or 2012 family. The error message the user receives is as shown below:
As soon as these users are removed from the Protected group, they just work back normally. The weird thing is that this error occurred only for few accounts in the Protected Users group and not all accounts.
The following event was logged in the Event viewer at the same time of log in failure
Upon further investigation on this problem we were able to identify a common factor for all these accounts that were unable to log in after being added to the Protected Users group:
- They were old accounts, created few years ago when the domain was 2003 Domain/Forest Functional Level.
- These accounts have Non-Expiry passwords (Since most of them are service accounts) !