If you find yourself receiving this error, its possible that it was caused by enabling the security settings that come with adding a user to the Protected Users group in Active Directory.

“A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.”

To learn more about this special group that was introduced with Windows Server 2012 R2 please see the official documentation here: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

A high-value account with administrative privilege should be a member of the Protected Users group. That is to say regular accounts should not be members of this group.

Becoming a member of the Protected Users group means AD automatically applies certain pre-configured controls that the users won’t be able to change unless they stop being group members.

When the signed in user is a member of the Protected Users group, the group provides the following protections:

  • Credential delegation (CredSSP) doesn’t cache the user’s plain text credentials even when the user enables the Allow delegating default credentials Group Policy setting.
  • For Windows 8.1 and later and Windows Server 2012 R2 and later, Windows Digest doesn’t cache the user’s plaintext credentials even when they’ve enabled Windows Digest.
  • NTLM stops caching the user’s plaintext credentials or NT one-way function (NTOWF).
  • Kerberos stops creating Data Encryption Standard (DES) or RC4 keys. Kerberos also doesn’t cache the user’s plaintext credentials or long-term keys after acquiring the initial Ticket Granting Ticket (TGT).
  • The system doesn’t create a cached verifier at user sign-in or unlock, so member systems no longer support offline sign-in.

After you add a new user account to the Protected Users group, these protections will activate when the new Protected User signs in to their device.

Protected User accounts that authenticate to a domain running Windows Server 2012 R2 or later are unable to do the following:

  • Authenticate with NTLM authentication.
  • Use DES or RC4 encryption types in Kerberos pre-authentication.
  • Delegate with unconstrained or constrained delegation.
  • Renew Kerberos TGTs beyond their initial four-hour lifetime.

The Protected Users group applies non-configurable settings to TGT expiration for every member account. Normally, the domain controller sets the TGT lifetime and renewal based on the following two domain policies:

  • Maximum lifetime for user ticket
  • Maximum lifetime for user ticket renewal

For Protected Users members, the group automatically sets these lifetime limits to 600 minutes. The user can’t change this limit unless they leave the group

IMPORTANT: Never add accounts for services and computers to the Protected Users group. For those accounts, membership doesn’t provide local protections because the password and certificate is always available on the host. Don’t add accounts that are already members of highly privileged groups, such as the Enterprise Admins or Domain Admins groups, until you can guarantee adding them won’t have negative consequences. Highly privileged users in the Protected Users are subject to the same limitations and restrictions as regular users, and it’s not possible to work around or change those settings. If you add all members of those groups to the Protected Users group, it’s possible to accidentally lock out their accounts. It’s important to test your system to make sure the mandatory setting changes won’t interfere with account access for these privileged user groups.

Event logs

Two operational administrative logs are available to help troubleshoot events that are related to Protected Users. These new logs are located in Event Viewer and are disabled by default, and are located under Applications and Services Logs\Microsoft\Windows\Authentication.

To enable capturing these logs:

  1. Right-click on Start, then select Event Viewer.
  2. Open Applications and Services Logs\Microsoft\Windows\Authentication.
  3. For each log you want to enable, right-click the log name, then select Enable Log.

In my particular case, I was trying to connect to the host via the IP address, therefore using NTLM authentication, which is not supported if your account is a member of the Protected Users group.