search cancel

PAM and Protected Users Group from Windows


Article ID: 17076


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


Can we use the Protected Users Group from Windows along with CA PAM?


Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY


CA PAM is NOT compatible with the restrictions imposed on user accounts from the Protected Users group in Win2012 R2


Note, by default the Protected Users group in Win2012 R2 does not contain any users.

We tested RADIUS or LDAP authentication of the PAM Client against the DC using such user which is failing once the user is member of this group.

Also Password Change in Password Manager of such use account r is basically not working

Ditto refreshing or importing of an LDAP group is failing while the bind user is member of the Protected Users group.

Moreover RDP session initiation using the PAM Clients RDP applet fails while Terminal Server on the DC requires NLA (Kerberos / CredSSP) authentication with a user account from the Protected Users group.

Additional Information

See for further details of these restrictions.