Can we use the Protected Users Group from Windows along with CA PAM?
CA PAM is NOT compatible with the restrictions imposed on user accounts from the Protected Users group in Win2012 R2
Note, by default the Protected Users group in Win2012 R2 does not contain any users.
We tested RADIUS or LDAP authentication of the PAM Client against the DC using such user which is failing once the user is member of this group.
Also Password Change in Password Manager of such use account r is basically not working
Ditto refreshing or importing of an LDAP group is failing while the bind user is member of the Protected Users group.
Moreover RDP session initiation using the PAM Clients RDP applet fails while Terminal Server on the DC requires NLA (Kerberos / CredSSP) authentication with a user account from the Protected Users group.
See https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx for further details of these restrictions.