Steve89
Apr 12, 2024Copper Contributor
Different DAS Accounts for SAM-R in a Tier model
My Customer works with a local tier system
Tier 0 DC Controller
Tier 1 RODC and Member Server
Tier 2 normal clients with InternetAccess
In order to make SAM-R queries, the GMSA account (Tier0) must be stored in the GPO for all clients and servers, which represents a break in the Tier model
Question Can additional accounts be created and used explicitly for T1 and T2 by distributing different GPOs?
If yes, how does the Defender for Identity know which account is allowed to do what?