What is Restricted Admin mode for Remote Desktop and why does it matter for penetration testing?

Restricted Admin mode is a feature introduced in Windows 8.1 and Server 2012 R2 that prevents user credentials from being exposed on the target remote system during an RDP session. For penetration testers, when this mode is enabled on both the server and client, you can perform Pass the Hash with Remote Desktop using the user's NTLM hash instead of a plaintext password. This technique is especially useful after obtaining a hash through other methods, like those covered in Domain Penetration - Implementation of Pass The Hash.