Thanks for the tip.
Protected users - Ntlm fallback
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
Hi,
I'm testing the protected users group in Active directory, and I'm testing this with a highly privileged user which is not able to access a remote machine using RDP, and by the logs it looks like the user falls on Ntlm, which receives an error message since Ntlm is not allowed for members of the protected users group.
The user is trying to login to a remote machine by Fqdn and not an IP address.
In the event logs I couldn't find any event log, such as event log 4771 which will shed some light over the reason for the kerberos ticket to be denied, kerberos audit logs were enabled in the group policy.
The user is not able to login to any remote desktop (though he has the permission/privilege to do so).
What can I do to further troubleshoot this?
Thanks in advance for the help.
Windows for home | Other | Security and privacy
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
2 answers
Sort by: Most helpful
-
Anonymous
2022-06-09T09:23:59+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 10%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIL%3C/text%3E%3C/svg%3E)
Igor Leyko 111K Reputation points Independent Advisor2022-06-08T22:12:49+00:00 Hi,
My name is Igor, I have 12 Microsoft MVP awards. It's a pleasure for me to help others and I'll do all my best to help you. I'm sorry you have a problems.
AD questions it is more effective to ask at Q&A forum https://docs.microsoft.com/en-us/answers/index....
It is oriented to admins and corporate users, and this forum - to home users so local experts may have no corresponding knowledge, sorry.