Unable to access via remote desktop after adding user account to proctected users.

Richard Y 481 Reputation points
2022-01-24T21:13:38.67+00:00

Hi,

Our administrators are facing a issue after adding their accounts to protected users group.
I need your help to fix this issue.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,848 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,236 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 32,501 Reputation points
    2022-01-24T21:20:28.463+00:00

    Hi,

    If the user account is member of protected group, only kerberos is supported. NTLM is not supported.
    To ensure that kerberos authentication is working fine you should check:

    • Only the FQDN is supported to access via remote desktop because when you use IP adress, you will use NTLM for authentication
    • Check SPN settings, if the server has many FQDN , you should add same SPNs for each FQDN
    • Check if network flow is opened between client machine and domain controller for kerberos authentication

    Please don't forget to mark helpful reply as answer

    0 comments
  2. Limitless Technology 39,351 Reputation points
    2022-01-31T19:16:25.117+00:00

    Hi @Richard Y

    Members of the Protected Users group must be able to authenticate by using Kerberos with Advanced Encryption Standards (AES). This method requires AES keys for the account object in Active Directory. The built-in Administrator does not have an AES key unless the password was changed on an Active Directory Domain Controller that runs Windows Server 2008 or later. Additionally, any account object, which has a password that was changed at an Active Directory Domain Controller that runs an earlier version of Windows Server, is locked out.

    Here is a thread as well that discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

    Microsoft Store RDP App won't allow connection when protected users group enabled
    https://learn.microsoft.com/en-us/answers/questions/372142/microsoft-store-rdp-app-wont-allow-conenction-when.html

    Hope this resolves your Query!!

    --------
    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments
  3. Sebastian Cerazy 306 Reputation points
    2023-03-25T11:13:16.7466667+00:00

    AlwaysON VPN (to Server 2016 using PEAP certificate) client

    Member of Protected Users cannot login to RDP using FDQN

    Anybody has any idea how to get it working (apart from removing the user from PU group)

    None of the troubleshooting docs ie https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn518179(v=ws.11) gives anything related to this issue

    Usually removal from the group is a "solution"

    https://www.easy365manager.com/a-user-account-restriction-is-preventing-you-from-logging-on/

    Seb

    0 comments