PAM and Protected Users Group from Windows
search cancel

PAM and Protected Users Group from Windows


Article ID: 17076


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


Can we use the Protected Users Group from Windows along with CA PAM?


Release: 3.4.x, 4.0.x, 4.1.x


The Protected Users security group was introduced with Windows Server 2012 R2 and continued in Windows Server 2022.

Unfortunately PAM is not compatible with this because:

• Members of this group cannot use NTLM, digest authentication, or CredSSP for authentication. Plain text passwords are not cached. So, any of the devices using these protocols will fail to authenticate to the domain.

• Kerberos long-term keys not cached. For accounts in this group, the Kerberos protocol verifies authentication at each request (the TGT acquired at log on).

• Sign-in is offline. A cached verifier is not created at sign-in.

For the Protected Users group feature, it is not a must to have a domain or forest functional level run on Windows Server 2012 R2 or higher (Windows Server 2008 is the minimum as Kerberos needs to use AES). The only requirement is to run the PDC emulator FSMO role in the Windows Server 2012 R2 domain controller.

If the AD environment uses Windows Server 2012 R2 or Windows Server 2016 domain functional levels, it provides additional protections with Protected User groups, as:

• No NTLM authentication

• No DES or RC4 encryption in Kerberos pre-authentication

• No delegation using the unconstrained or constrained method

• No Kerberos TGT valid more than 4 hours

Additional Information

See for further details of these restrictions.