MDI Lab Question - Issue with Directory Service Enumeration / gMSA / SAM-R Policy

Brass Contributor



I setup my MDI lab with a Windows 2019 server, created a gMSA and installed the MDI sensor successfully.

In Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Micro... I need to add the Defender for Identity service account to the SAM-R policy. In my case I added the gMSA which I assume is correct.

I am now working my way through the lab playbooks ( and noticed that I get an 


System Error 5 has occurred ... Access Denied


error when running the 


net user /domain


command as user JeffL from VictimPC (Windows 10 1909). When I run the command as domain admin on that workstation it works and I see the proper output which makes sense because the SAM-R policy says that only Domain Administrators and the gMSA are allowed.


It looks to me that everything is setup how it should and a non-domain admin is unable to run 


net user /domain


on that workstation. I'd like to test MDI though and recreate the alerts by using the JeffL user. What am I doing wrong here?





4 Replies

This alert has a learning period, make sure the conditions you created are applicable to trigger the alert in this case.
Thanks for the link to the documentation, Eli. That's good to know that there's a learning period.

The problem I have is that I receive an error message when running command "net user /domain" as JeffL in this playbook (
The command works if I log into the command line as a domain admin but not as local admin.

@amueller-tf If I am not mistaken, in Windows 2019 SAMR is restricted by default, so this is expected that a normal user would fail...

The screenshot from the playbook is from an older OS.

best response confirmed by amueller-tf (Brass Contributor)
Ah, thanks again, Eli. I suspected that this would be the case after I read the lab setup again. I guess I made my lab too difficult to hack by using Windows Server 2019 ...