Can't login anymore to multiple services (SCCM, WSUS ...) since I added my user to the "Protected users" group

Thomas LOUNIS 21 Reputation points
2021-12-17T17:57:47.577+00:00

Hello everyone,
Concerned about security on my Active Directory domain, my plan is to ensure that I never leave credentials in cache (lsass process) on the machines on which I connect in RDP. The goal is to prevent tools like mimikatz ... from being able to retrieve my credentials in clear text, hash ,TGT or TGS.

To do this, I added a privileged account (not domain admin) to the "Protected Users" group.
I manage to connect well in RDP, but however, when I use ConfigMgr to connect to SCCM I can no longer connect to this service, the same for WSUS (there must be many others but I haven't tested them yet).

I think the problem stems from the fact that by integrating the Protected Users group, NTLM connections are no longer possible and only Kerberos authentication is used. Therefore, SCCM must not suddenly support the authentication kerberos and fallback on NTLM and the splash impossible to connect, same for WSUS. Is it normal that these do not support Kerberos? Do I have to change anything in their configuration to accept Kerberos? If it is not possible to use Kerberos, what do you recommend as a solution, deleting the account of protected users? This will leave my credentials in cache unfortunately.

Thank you in advance for your answers.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,170 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
0 comments
Accepted answer
  1. Limitless Technology 39,371 Reputation points
    2021-12-20T13:34:22.63+00:00

    Hello @Thomas LOUNIS

    Accounts for services and computers should not be members of the Protected Users group. This group provides no local protection to these types of accounts because the password or certificate is always available on the host.

    The protection triggered by membership of the Protected Users group is non-configurable. You have two options to authenticate with your SCCM server: using server credentials or your Windows credentials. Kerberos authentication is currently the default authorization technology used by Microsoft Windows.

    For a viable solution refer this article . Security and privacy for site administration in Configuration Manager
    https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/security-and-privacy-for-site-administration

    Hope this resolves your Query!!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    2 people found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Allan Lauritzen 11 Reputation points
    2021-12-19T21:38:54.403+00:00

    Hi What Domain functional Level are you running ? you need to be on 2016 or better, not only the servers but the Domain functional level.
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

    Allso check that you are not in fact using NTLM
    And that you are trying from at least windows 8.1 client

    1 person found this answer helpful.
    0 comments