Configuring Password Check/Change actions on AD accounts who are members of the Protected Users Group (4382488)

Configuring Password Check/Change actions on AD accounts who are members of the Protected Users Group

Overview

This document describes the requirements and implementation details for managing Active Directory (AD) accounts that are members of the Protected Users group using Safeguard for Privileged Passwords (SPP). Support for this scenario became available in SPP 7.3 / 7.0.3 LTS or higher.

Problem Statement

As an administrator, I want my privileged AD accounts to be members of the Protected Users group to add an additional layer of security.

At the same time, I need these accounts to be managed by SPP such that:

• Check Password operations succeed
• Change Password operations succeed
• Users can request credentials through an Access Request Workflow

When I add AssetAccounts to the Protected Users group in AD, Change Password works as expected, but Check Password fails. How can I resolve this?

What is the Protected Users Group?

The Protected Users security group is a built-in Active Directory security group designed to reduce the risk of credential theft. When an account is added to this group, AD applies protections that users typically cannot override unless the account is removed from the group.

More information: Protected Users Security Group in Windows Server

Setup

a. Key behavior changes

ChangePassword

The Protected Users group does not prevent password changes. Change Password should work normally whether or not the account is a member of Protected Users.

CheckPassword

Accounts in the Protected Users group cannot authenticate using NTLM. Therefore, Kerberos is required.

As a result, Check Password will fail if SPP cannot successfully perform Kerberos authentication—most commonly due to DNS / name resolution issues or AD asset configuration that causes SPP to fall back to NTLM.

b. Troubleshooting

• Review the AD Security Log on the domain controller involved in the authentication attempt.
  • Confirm whether the failure is due to an attempted NTLM authentication, or a Kerberos failure (often tied to name resolution / SPN / time skew).
• If SPP appears to be using NTLM, validate the following:
  • DNS server configuration on the SPP appliance
    The appliance must be able to resolve:
    • The Active Directory domain
    • The domain controllers
    • Relevant FQDNs used for Kerberos
    • Domain Controller values in the Active Directory Asset configuration in SPP
      If the domain controllers are specified using IP addresses instead of Fully Qualified Domain Names (FQDNs), SPP may default to NTLM rather than attempting Kerberos.

 

• Look for more information in the SPP Task Log:
  Example task log from a successful Check Password action on an AssetAccount in the Protected Users group:
  2026-03-18T15:11:52-04:00 Information Platform framework version 8.2.0.2468 2026-03-18T15:11:52-04:00 Information Initializing CheckPassword platform task 51d37769-22fe-11f1-a5a2-83c17546dd56 2026-03-18T15:11:52-04:00 Debug ############### Operation Parameters ################ 2026-03-18T15:11:52-04:00 Debug AssetName vertige.local AD 2026-03-18T15:11:52-04:00 Debug Address dc01.vertige.local 2026-03-18T15:11:52-04:00 Debug FuncUserName safeguard 2026-03-18T15:11:52-04:00 Debug FuncUserNetBiosName VERTIGE 2026-03-18T15:11:52-04:00 Debug FuncUserDomain vertige.local 2026-03-18T15:11:52-04:00 Debug FuncPassword **secret** 2026-03-18T15:11:52-04:00 Debug UseSsl False 2026-03-18T15:11:52-04:00 Debug AccountUserName Admin1474237082 2026-03-18T15:11:52-04:00 Debug NetBiosName VERTIGE 2026-03-18T15:11:52-04:00 Debug DomainName vertige.local 2026-03-18T15:11:52-04:00 Debug AccountPassword **secret** 2026-03-18T15:11:52-04:00 Debug CheckPassword 2026-03-18T15:11:52-04:00 Debug Using 'safeguard@vertige.local' from user= safeguard, domain= vertige.local, netBios= VERTIGE. 2026-03-18T15:11:52-04:00 Debug Using PrincipalContext to validate credentials for dc01.vertige.local 2026-03-18T15:11:52-04:00 Debug Validated connection. Added dc01.vertige.local to asset cache. 2026-03-18T15:11:52-04:00 Information Connecting with directory service on asset vertige.local AD with address dc01.vertige.local 2026-03-18T15:11:52-04:00 Information Retrieving Admin1474237082 2026-03-18T15:11:52-04:00 Information Checking password for Admin1474237082 2026-03-18T15:11:52-04:00 Debug Using 'Admin1474237082@vertige.local' from user= Admin1474237082, domain= vertige.local, netBios= VERTIGE.
  Example from a failing Check Password action when the Domain Controller value on the AD asset is set to an IP and not an FQDN:
  2026-03-18T15:10:27-04:00 Information Platform framework version 8.2.0.2468 2026-03-18T15:10:27-04:00 Information Initializing CheckPassword platform task 19c11b88-22fe-11f1-be15-cd94961f7b1f 2026-03-18T15:10:27-04:00 Debug ############### Operation Parameters ################ 2026-03-18T15:10:27-04:00 Debug AssetName vertige.local AD 2026-03-18T15:10:27-04:00 Debug Address 10.3.62.141 2026-03-18T15:10:27-04:00 Debug FuncUserName safeguard 2026-03-18T15:10:27-04:00 Debug FuncUserNetBiosName VERTIGE 2026-03-18T15:10:27-04:00 Debug FuncUserDomain vertige.local 2026-03-18T15:10:27-04:00 Debug FuncPassword **secret** 2026-03-18T15:10:27-04:00 Debug UseSsl False 2026-03-18T15:10:27-04:00 Debug AccountUserName Admin1474237082 2026-03-18T15:10:27-04:00 Debug NetBiosName VERTIGE 2026-03-18T15:10:27-04:00 Debug DomainName vertige.local 2026-03-18T15:10:27-04:00 Debug AccountPassword **secret** 2026-03-18T15:10:27-04:00 Debug CheckPassword 2026-03-18T15:10:28-04:00 Debug Using 'safeguard@vertige.local' from user= safeguard, domain= vertige.local, netBios= VERTIGE. 2026-03-18T15:10:28-04:00 Debug Using PrincipalContext to validate credentials for 10.3.62.141 2026-03-18T15:10:28-04:00 Debug Validated connection. Added 10.3.62.141 to asset cache. 2026-03-18T15:10:28-04:00 Information Connecting with directory service on asset vertige.local AD with address 10.3.62.141 2026-03-18T15:10:28-04:00 Information Retrieving Admin1474237082 2026-03-18T15:10:29-04:00 Information Checking password for Admin1474237082 2026-03-18T15:10:29-04:00 Debug Using 'Admin1474237082@vertige.local' from user= Admin1474237082, domain= vertige.local, netBios= VERTIGE. 2026-03-18T15:10:29-04:00 Debug CheckPassword failed. Access to the resource was denied.

---

Additional Considerations

• More information on Kerberos is located here: Kerberos authentication overview in Windows Server
• Need more help? Our Professional Services team are tooled up to help you acheive your goals. Reach out to your account manager for more information.

406625