Forum Discussion

Steve89's avatar
Steve89
Copper Contributor
Apr 12, 2024

Different DAS Accounts for SAM-R in a Tier model

My Customer works with a local tier system
Tier 0 DC Controller
Tier 1 RODC and Member Server
Tier 2 normal clients with InternetAccess

In order to make SAM-R queries, the GMSA account (Tier0) must be stored in the GPO for all clients and servers, which represents a break in the Tier model

Question Can additional accounts be created and used explicitly for T1 and T2 by distributing different GPOs?
If yes, how does the Defender for Identity know which account is allowed to do what?


  • AndyWest2020's avatar
    AndyWest2020
    Copper Contributor

    Steve89 

    I have the same question. 

    We are planning a MDI deployment. Same tiering like your case. 

    How did you deploy MDI DSA in the end?

    I am thankful for any input. 

    Best regards.

    • Steve89's avatar
      Steve89
      Copper Contributor

      AndyWest2020 

      For our MDI (Microsoft Defender for Identity) deployment, we ultimately had to proceed with a straightforward implementation approach, as we also received no definitive guidance from Microsoft. Here’s how we managed it:

      We assigned the necessary permissions to the Directory Services Account (DSA), ensuring it had the required privileges for the environment. This involved setting the appropriate permissions manually, aligned with Microsoft’s documentation on minimal permissions for MDI, rather than any specialized tiered deployment configuration. We also monitored closely to confirm that access and permissions worked as intended in our environment.