search cancel

Endpoint Protection Manager login fails for AD sync'd users in Protected Users AD Group


Article ID: 172295


Updated On:


Endpoint Protection


When a Symantec Endpoint Protection Manager (SEPM) user is configured to authenticate via Active Directory (AD) and that user is a member of the AD "Protected Users" security group, they are no longer able to log into the SEPM.

When logging in the user will receive a popup stating:

"The administrator's user name or password is incorrect. Type a valid user name or password."


The SEPMs scm-server-*.logs will show:

SEVERE: LDAP Authentication Failed [path=LDAPS://<domain controller:port>, user=<AD user>]. It may fail due to invalid account name, password or the account is currently locked out by domain security policy.


FINE: Error message = 44


When AD users are members of the AD security group "Protected Users" they are no longer able to authenticate to AD using NTML authentication among other limitations. The following Microsoft document provides further details:

Protected Users Security Group


Windows 2012 R2 or higher Domain Controller


The SEPM does not support non-NTLM authentication at this time and will not be able to authenticate AD sync'd SEPM users who are in the AD "Protected Users" group. To resolve this issue, use one of the following solutions:

  1. Remove the AD user from the "Protected Users" group
  2. Switch the SEPM user to use the SEPMs built-in login functionality so AD authentication is not needed, the user can then remain in the "Protected Users" group