MDI Lab Question - Issue with Directory Service Enumeration / gMSA / SAM-R Policy

Hi,

I setup my MDI lab with a Windows 2019 server, created a gMSA and installed the MDI sensor successfully.

In https://docs.microsoft.com/en-us/defender-for-identity/install-step8-samr I need to add the Defender for Identity service account to the SAM-R policy. In my case I added the gMSA which I assume is correct.

I am now working my way through the lab playbooks (https://docs.microsoft.com/en-us/defender-for-identity/playbook-reconnaissance#directory-service-enumeration-via-net-from-victimpc) and noticed that I get an 

System Error 5 has occurred ... Access Denied

error when running the 

net user /domain

command as user JeffL from VictimPC (Windows 10 1909). When I run the command as domain admin on that workstation it works and I see the proper output which makes sense because the SAM-R policy says that only Domain Administrators and the gMSA are allowed.

It looks to me that everything is setup how it should and a non-domain admin is unable to run 

net user /domain

on that workstation. I'd like to test MDI though and recreate the alerts by using the JeffL user. What am I doing wrong here?

Thanks,

Andre