Protected Users: you thought you were safe uh?

This report demonstrates that the Active Directory built-in RID 500 (Administrator) account remains exempt from key protections of the "Protected Users" group: RC4-based Kerberos authentication and delegation can still be leveraged, enabling OverPass-the-Hash and RBCD delegation abuse when an NT hash or active session is available. The authors provide proof-of-concept tests, exploitation scenarios, and mitigations (restrict protocol encryption via ms-DSSupportedProtocolEncryption, set the account as sensitive and non-delegable, or disable the account), and note Microsoft considers the behavior intended.