Different DAS Accounts for SAM-R in a Tier model

Copper Contributor

My Customer works with a local tier system
Tier 0 DC Controller
Tier 1 RODC and Member Server
Tier 2 normal clients with InternetAccess

In order to make SAM-R queries, the GMSA account (Tier0) must be stored in the GPO for all clients and servers, which represents a break in the Tier model

Question Can additional accounts be created and used explicitly for T1 and T2 by distributing different GPOs?
If yes, how does the Defender for Identity know which account is allowed to do what?

Screenshot of the Network access policy selected_.png

0 Replies