๐ŸŸ  High   โฑ 5โ€“30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2022

๐Ÿ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution โ€” Primary Fix
  7. Solution โ€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Service accounts fail logon after addition to Protected Users group on Windows Server 2022 disrupts operations and prevents the affected service from meeting its SLA until remediated.

Environment & Reproduction

The issue reproduces on Windows Server 2022 hosts where the security subsystem is in use, typically following configuration drift or recent updates.

Get-ADUser -Identity svcAccount -Properties memberOf
klist purge

Root Cause Analysis

The defect stems from misaligned protected users group settings, missing prerequisites, or a corrupted state that blocks normal operation.

Quick Triage

Confirm the service is running and capture current configuration state before applying any change.

klist tickets
Get-ADUser svcAccount -Properties msDS-SupportedEncryptionTypes

Step-by-Step Diagnosis

Walk the security stack from configuration to runtime, collecting logs and counters that point at the failing component.

Get-WinEvent -LogName Security | Where Id -in 4625,4771 | Select -First 20
klist sessions
Illustrative mockup for windows-server-2022 โ€” login_screen
Sign-in screen for protected users group โ€” Illustrative mockup โ€” Progressive Robot

Solution โ€” Primary Fix

Apply the corrected configuration and restart dependent services so the protected users group component re-initialises cleanly.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Remove-ADGroupMember -Identity 'Protected Users' -Members 'svcAccount' -Confirm:$false
Set-ADUser -Identity svcAccount -KerberosEncryptionType AES128,AES256
klist purge -li 0x3e7
Illustrative mockup for windows-server-2022 โ€” event_or_log_viewer
Resolution view for protected users group โ€” Illustrative mockup โ€” Progressive Robot

Solution โ€” Alternative Approaches

Where the primary fix is blocked by policy or downtime windows, use the alternative configuration path or staged rollout below.

Set-ADAccountControl -Identity svcAccount -DoesNotRequirePreAuth $false
gpupdate /force

Verification & Acceptance Criteria

Confirm the service reports healthy state and end-to-end functionality succeeds against a representative workload.

Get-ADGroupMember 'Protected Users' | Select SamAccountName
Get-WinEvent -LogName Security | Where {$_.Id -eq 4624 -and $_.Properties[5].Value -eq 'svcAccount'}

Rollback Plan

If the fix introduces regressions, revert configuration to the pre-change baseline and restart the service to restore prior behaviour.

Add-ADGroupMember -Identity 'Protected Users' -Members 'svcAccount'
klist purge

Prevention & Hardening

Bake the validated protected users group configuration into baseline GPOs or DSC and add a monitoring check for early detection.

Get-ADUser -Filter * -Properties memberOf | Where {$_.memberOf -like '*Protected Users*'}
Set-ADUser -Identity svcAccount -ServicePrincipalNames @{Add='HOST/svcAccount.contoso.com'}

Related: other security failures, dependent service errors, and downstream client-side symptoms.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub โ†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn documentation for Windows Server 2022 and the relevant component, plus internal runbooks.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today โ€” we respond within one business day.