Forum Discussion
Different DAS Accounts for SAM-R in a Tier model
My Customer works with a local tier system
Tier 0 DC Controller
Tier 1 RODC and Member Server
Tier 2 normal clients with InternetAccess
In order to make SAM-R queries, the GMSA account (Tier0) must be stored in the GPO for all clients and servers, which represents a break in the Tier model
Question Can additional accounts be created and used explicitly for T1 and T2 by distributing different GPOs?
If yes, how does the Defender for Identity know which account is allowed to do what?
- AndyWest2020Copper Contributor
I have the same question.
We are planning a MDI deployment. Same tiering like your case.
How did you deploy MDI DSA in the end?
I am thankful for any input.
Best regards.
- Steve89Copper Contributor
For our MDI (Microsoft Defender for Identity) deployment, we ultimately had to proceed with a straightforward implementation approach, as we also received no definitive guidance from Microsoft. Here’s how we managed it:
We assigned the necessary permissions to the Directory Services Account (DSA), ensuring it had the required privileges for the environment. This involved setting the appropriate permissions manually, aligned with Microsoft’s documentation on minimal permissions for MDI, rather than any specialized tiered deployment configuration. We also monitored closely to confirm that access and permissions worked as intended in our environment.