Add Machines from PVS when member of Protected Users

Sabine Ludewig1709156713 · November 17, 2022

Hi all

I was wondering whether this is an expected behaviour or if I can do anything about it.

I'm trying to add a worker from a pvs collection to a machine catalog in Citrix Studio (looged in to the DDC).

But when my account is member of the AD- group Protcted Users, connecting to the PVS server fails.

Any ideas how to work around this issue wihout removing the account from the group?

Thanks

Ghisoiu Cornel · November 22, 2022

Hi.

Some info related to the Protected users group:

Some actions can't be performed by protected users group members:

Members of the Protected Users group who are signed-on to Windows 8.1 devices and Windows Server 2012 R2 hosts can no longer use:

Default credential delegation (CredSSP) - plaintext credentials are not cached even when the Allow delegating default credentials policy is enabled

Windows Digest - plaintext credentials are not cached even when they are enabled

NTLM - NTOWF is not cached

Kerberos long term keys - Kerberos ticket-granting ticket (TGT) is acquired at logon and cannot be re-acquired automatically

Sign-on offline - the cached logon verifier is not created

If the domain functional level is Windows Server 2012 R2 , members of the group can no longer:

Authenticate by using NTLM authentication

Use Data Encryption Standard (DES) or RC4 cipher suites in Kerberos pre-authentication

Be delegated by using unconstrained or constrained delegation

Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Best of luck.

Sabine Ludewig1709156713 · December 15, 2022

Thanks Ghisoiu for the info.

Yet I'm wondering who this affects the authentication process when adding machines from PVS to studio.

Question