Can we use the Protected Users Group from Windows along with CA PAM?

The Protected Users security group was introduced with Windows Server 2012 R2 and continued through all windows versions up to  Windows Server 2022 and beyond.

• Members of this group cannot use NTLM, digest authentication, or CredSSP for authentication. Plain text passwords are not cached. So, any of the devices using these protocols will fail to authenticate to the domain.

• Kerberos long-term keys not cached. For accounts in this group, the Kerberos protocol verifies authentication at each request (the TGT acquired at log on).

• Sign-in is offline. A cached verifier is not created at sign-in.

For the Protected Users group feature, it is not a must to have a domain or forest functional level run on Windows Server 2012 R2 or higher (Windows Server 2008 is the minimum as Kerberos needs to use AES). The only requirement is to run the PDC emulator FSMO role in the Windows Server 2012 R2 domain controller.

If the AD environment uses Windows Server 2012 R2 or Windows Server 2016 domain functional levels, it provides additional protections with Protected User groups, as:

• No NTLM authentication

• No DES or RC4 encryption in Kerberos pre-authentication

• No delegation using the unconstrained or constrained method

• No Kerberos TGT valid more than 4 hours

Starting version 4.1.5 PAM introduced the capacity to support Kerberos authentication for Active Directory and Windows Remote and therefore this should be supported

See https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx as well as https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group for further details of these restrictions.

For versions prior to 4.1.5 CA PAM will not support protected groups