# Protected Group Members and Role Assignments In environments where SessionLimit is integrated with Active Directory, you may run into the following situation:\ a user is a member of a protected group, but does not receive SessionLimit role permissions through an AD group. ### Protected Group Members Cannot Inherit Roles from Groups If a user is a member of a **Protected Group** (SeProtectedGroup), such as: * Domain Admins * Enterprise Admins * Schema Admins * Account Operators * Administrators * Backup Operators * Print Operators this user will **not** be able to receive SessionLimit role permissions through an AD group assignment. **Example:** * You assign a SessionLimit role to an AD group. * The user is a member of that AD group. * But the user does not see or get the expected SessionLimit permissions. **Reason:** this is caused by **protected account behavior** in Windows, not by a SessionLimit bug. ### Correct Solution For users who are members of protected groups: * **Do not rely** on AD group-based role inheritance for SessionLimit. * Instead, **add the user directly to the desired SessionLimit role**. In other words:\ **AD Group → Role mapping works for normal users, but protected users must be added directly to the role.** ### Why Does This Happen? For protected accounts, Windows applies additional security restrictions, for example: * Prevents automatic permission inheritance for some scenarios. * Applies SID filtering and token cleanup. * Only trusts **explicit** (direct) permissions instead of group-based inheritance in certain contexts. Because of these mechanisms, SessionLimit role permissions: * **Can** be granted to a protected user via **direct role assignment**. * **Cannot** be reliably inherited via **group membership**. **Important:** This is expected behavior in Active Directory and Windows security design.\ SessionLimit simply reflects what the OS and directory services provide; it does not override protected account handling. ### Practical Administration Tips * For any admin-level user, first ask: *“Does this account really need to be a member of a protected group (e.g., Domain Admins)?”* * Where possible, create a dedicated **SessionLimit admin account** that is **not** a member of protected groups. * For accounts that must remain in protected groups (e.g. Domain Admins): * Assign the SessionLimit role **directly to the user**, not via group. #### Troubleshooting Checklist If a user cannot see or use a SessionLimit role you expect them to have, follow these steps: 1. Check which AD groups the user is a member of. 2. Compare those groups with the known **protected groups** list. 3. If the user is a member of a protected group: * Add the user directly to the relevant SessionLimit role. * Do not rely on group-based inheritance for this user. ### Common Real-World Scenario **Scenario:**\ \&#xNAN;*“John is a member of the Domain Admins group. I added her to the ‘SessionLimitAdmins’ AD group, which is mapped to the SessionLimit Admin role, but she still doesn’t see admin permissions in the UI.”* **Resolution:**\ Add John **directly** to the `SessionLimit Admin` role inside the SessionLimit UI. ### Summary | Case | Role via AD Group Membership | Direct Role Assignment | | ----------------------------- | ------------------------------ | ---------------------- | | Standard (non-protected) user | ✅ Works | ✅ Works | | Protected Group member | ❌ Not reliable / Does not work | ✅ Works (recommended) | You can place this guide under the **“Tips & Tricks”** section of your SessionLimit documentation, wiki, or knowledge base. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sessionlimit.com/tips-and-tricks/protected-group-members-and-role-assignments.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.