Jun 23 2021
07:41 AM
- last edited on
Nov 30 2021
09:23 AM
by
TechCommunityAP
Jun 23 2021
07:41 AM
- last edited on
Nov 30 2021
09:23 AM
by
TechCommunityAP
Hi,
I setup my MDI lab with a Windows 2019 server, created a gMSA and installed the MDI sensor successfully.
In Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Micro... I need to add the Defender for Identity service account to the SAM-R policy. In my case I added the gMSA which I assume is correct.
I am now working my way through the lab playbooks (https://docs.microsoft.com/en-us/defender-for-identity/playbook-reconnaissance#directory-service-enu...) and noticed that I get an
System Error 5 has occurred ... Access Denied
error when running the
net user /domain
command as user JeffL from VictimPC (Windows 10 1909). When I run the command as domain admin on that workstation it works and I see the proper output which makes sense because the SAM-R policy says that only Domain Administrators and the gMSA are allowed.
It looks to me that everything is setup how it should and a non-domain admin is unable to run
net user /domain
on that workstation. I'd like to test MDI though and recreate the alerts by using the JeffL user. What am I doing wrong here?
Thanks,
Andre
Jun 23 2021 12:41 PM
Jun 24 2021 02:06 AM
Jun 24 2021 12:47 PM
@amueller-tf If I am not mistaken, in Windows 2019 SAMR is restricted by default, so this is expected that a normal user would fail...
The screenshot from the playbook is from an older OS.
Jun 24 2021 10:52 PM
Solution