Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

SAM-R

Brass Contributor

Hello all

I'm trying to understand why i need to configure the GPO in the below document? Is this required for MDI to be able to detect lateral movement? Also what is the default setting on a 2016 and 2019 DC, does it allow any account to perform SAM-R queries ? 

 

https://docs.microsoft.com/en-us/defender-for-identity/install-step8-samr

1 Reply
best response confirmed by skipster311-175 (Brass Contributor)
Solution

Hello @skipster311-175,

 

1. It is required. "a modification to Group Policy must be made to add the Defender for Identity service account"

2. The default value for 2016 and later is Administrators: Remote Access: Allow. It means that remote SAM won't be allowed for the MDfI account but it must be allowed for it in order to work correctly.

 

"The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers"

1 best response

Accepted Solutions
best response confirmed by skipster311-175 (Brass Contributor)
Solution

Hello @skipster311-175,

 

1. It is required. "a modification to Group Policy must be made to add the Defender for Identity service account"

2. The default value for 2016 and later is Administrators: Remote Access: Allow. It means that remote SAM won't be allowed for the MDfI account but it must be allowed for it in order to work correctly.

 

"The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers"

View solution in original post