Skip to main content

Attempting to login or join the domain fails when user is a member of the Active Directory Protected Users Group

 Symptoms

  • Attempting to join an ESXi host or VCSA to the domain fails
  • Attempting to add an ldap Identity Source fails
  • Attempting to login with a user account fails
  • In the security logs of the domain controller you observe the following Credential Validation Error:
NTLM authentication failed because the account was a member of the Protected User group
Cause
Introduced in Windows Server 2012 R2 domain controllers the Protected Users Security Group by design is inherently restrictive.

"Members of this group automatically have non-configurable protections applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default."

Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:

  • Authenticate with NTLM authentication.

  • Use DES or RC4 encryption types in Kerberos pre-authentication.

  • Be delegated with unconstrained or constrained delegation.

  • Renew the Kerberos TGTs beyond the initial four-hour lifetime.

Resolution
There is no resolution
Workaround
Utilize a user account outside of the 'Protected Users' Group
Related Information
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

Comments

Post a Comment

Popular posts from this blog

"Failed to configure vAPI Endpoint Service at the firstboot time" while installing Windows VC 6.5

  Symptoms While configuring the vAPI EndPoint Service, you experience these symptoms: Windows vCenter Server 6.5 installation fails while configuring the vAPI EndPoint Service vCenter Server 6.5 installation on a Windows Server fails during the vAPI EndPoint Service during the firstboot time. You see the error: Error: An error occurred while starting service 'vapi-endpoint'. Failed to start the vAPI Endpoint Service. Failed to configure vAPI Endpoint Service at the firstboot time. Please file a bug against VAPI   In vapi_firstboot.py_2948_stderr.log file, you see entries similar to: No valid files with pathname: C:\ProgramData\VMware\vCenterServer\logs\vapi\endpoint* found. ERROR starting vapi-endpoint rc: 2, stdout: , stderr: Start service request failed. Error: Service crashed while starting^M vapi firstboot failed Traceback (most recent call last): File "C:\Program Files\VMware\vCenter Server\firstbo...
Post a Comment
Read more

Cloning and converting virtual machine disks with vmkfstools

 Purpose This article provides information and instructions on the use of the vmkfstools command to convert virtual machine disks from one type to another. Resolution The vmkfstools command offers the ability to clone virtual machine content and also convert from one virtual machine disk ( .vmdk ) format into another. Note : The host operating system chosen to perform the conversion may not necessarily support running of virtual machines via the output format defined. vmkfstools maintains the possibility of exporting virtual disks for use in other VMware products which support alternative disk formats. To convert a virtual machine disk from one type to another: Shut down the virtual machine. Virtual machine disk files are locked while in-use by a running virtual machine. Log in to the VMware vSphere Management Assistant (v...
Post a Comment
Read more

Troubleshooting vpxd service on Windows vCenter Server

  Symptoms You cannot connect to VMware vCenter Server with the vSphere Client. You cannot see the VMware vCenter Server in the inventory in the vSphere Web Client. You see a Microsoft Windows Event error associated with IIS similar to: Event properties - Event 7024, Service Control Manager The VMware VirtualCenter Server service terminated with service-specific error The system cannot find the file specified.. Log Name: System Source: Service Control Event ID: 7024 Level: Error Note : A windows Event ID 1000 may also be reported in relation to this issue.   Connecting to vCenter Server fails with the error: Cannot connect to host server_name : No connection could be made because the target machine actively refused it.   Attempting to start the VMware VirtualCenter Server service fails. You see this error: Windows could not start the VMware VirtualCenter Server service on...
Post a Comment
Read more