Protected Users is a group introduced in Server 2012 R2 for "better protection against credential theft" by not caching credentials in insecure ways.

Members of this group have non-configurable protection applied. In order to use the Protected Users group, PDC should be running with a minimum of Windows Server 2012 R2 and the client computers should be running with a minimum of Windows 8.1 or Windows 2012 R2.

A user added to this group:

• Cannot use CredSSP (with it we’re able to do delegation and caching of credential) and WDigest. No more cleartext credentials caching.
• NTLM hash is not cached.
• Kerberos does not use DES or RC4 keys.
• No caching of clear text credentials or long term keys.

If the domain functional level is Server 2012 R2, following DC protections are available:

• No NTLM authentication (i.e. printers connected using network share without Kerberos will not work)
• No DES or RC4 encryption keys in Kerberos pre auth
• No delegation (constrained or unconstrained)
• No renewal of TGT beyond initial four hour lifetime Hardcoded, unconfigurable "Maximum lifetime for user ticket" and "Maximum lifetime for user ticket (No Kerberos TGT valid more than 4 hours).

To be used, Protected Users group needs all domain controllers to be at least Server 2008 or later (because AES keys).

<aside> ⚠️ Not recommended by Microsoft to add DAs and EAs to this group without testing "the potential impact" of lock out.

</aside>

No cached logon → so offline sign-in is no longer supported. Having computer and service accounts in this group is useless as their credentials will always be present on the host machine.