When a Symantec Endpoint Protection Manager (SEPM) user is configured to authenticate via Active Directory (AD) and that user is a member of the AD "Protected Users" security group, they are no longer able to log into the SEPM.

When logging in the user will receive a popup stating:

"The administrator's user name or password is incorrect. Type a valid user name or password."

The SEPMs scm-server-*.logs will show:

SEVERE: LDAP Authentication Failed [path=LDAPS://<domain controller:port>, user=<AD user>]. It may fail due to invalid account name, password or the account is currently locked out by domain security policy.

...

FINE: Error message = 44

Windows 2012 R2 or higher Domain Controller

When AD users are members of the AD security group "Protected Users" they are no longer able to authenticate to AD using NTML authentication among other limitations. The following Microsoft document provides further details:

Protected Users Security Group

The SEPM does not support non-NTLM authentication at this time and will not be able to authenticate AD sync'd SEPM users who are in the AD "Protected Users" group. To resolve this issue, use one of the following solutions:

1. Remove the AD user from the "Protected Users" group
2. Switch the SEPM user to use the SEPMs built-in login functionality so AD authentication is not needed, the user can then remain in the "Protected Users" group