Today we saw an issue after upgrading the forest level and domain level from 2008 to 2016 at a customer.
Soon after the upgrade admins started seeing problems when connecting with RDP to the domain management servers:
“A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.”
This is what it looked like:
After some googling we found out that this was related to the use of Protected Groups. Some features of Protected Groups only kick in when the domain level is Windows 2012 R2 or higher:
The easiest way to fix this is to use remote PowerShell, since this is not restricted.
Start by checking if your admin account is a member of the Protected Users group:
$Cred = Get-Credential $Grp = Get-ADGroup -Identity "Protected Users" -Credential $Cred -Server dc01.e365m.local -Properties member $Grp.member | fl
Assuming your account is in the list generated by the previous commands you can remove the membership using the Remove-AdGroupMember command:
Remove-ADGroupMember -Identity "Protected Users" -Members myAdmAccount -Credential $Cred -Server dc01.e365m.local
With your membership of the ProtectedUsers group removed you can again log in using RDP and use the GUI tools to make any additional changes to Protected Users.
Make sure to review the implementation guide for the Protected Users group before rolling it out.