Since ARS Admin accounts were added to the Protected Users group in AD, the ARS client cannot longer be launched whilst the accounts are in this group:
This is a known limitation with "Protected Users" AD group. It disables the use of NTLM and caching is no longer available.
See Microsoft KB article which details how the "Protected Users" AD group works. It also contains the following warning:
1.- Refer ARS Doc to configure the Administration Service to support Kerberos authentication:
2.- Enable Kerberos authentication.
3.- Connect to the ARS service by using the ARS Service FQDN as this will not work if ‘localhost’ is used:
Note: The ARS Admin has to be a local administrator: