Security Protected

This security group is designed as part of a strategy to manage the exposure of credentials within the company. Members of this group automatically have non-configurable protections that are applied to their accounts. Membership in the Protected Users group is supposed to be proactively restrictive and secure by default. The only way to change these protections for an account is to delete the security group account. 

Service and computer accounts should never be members of the protected user group. However, this group provides incomplete protection because the password or certificate is still available on the host computer. Authentication fails with the error "the username or password is incorrect" for any service or computer added to the protected user group.