Introduced in Windows Server 2012 R2 domain controllers the Protected Users Security Group by design is inherently restrictive.
"Members of this group automatically have non-configurable protections applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default."
Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:
-
Authenticate with NTLM authentication.
-
Use DES or RC4 encryption types in Kerberos pre-authentication.
-
Be delegated with unconstrained or constrained delegation.
-
Renew the Kerberos TGTs beyond the initial four-hour lifetime.