MSFT_GroupResource: SAMR can be blocked by domain controller GPO in Get-TargetResource #206
Comments
|
We have done some further research and think the issue is when Find-Principal uses .net System.DirectoryServices.AccountManagement, which could by design use SAMR (RPC call to SAM), which can potentially get blocked, when domain controller has configured network-access-restrict-clients-allowed-to-make-remote-sam-calls. |
Details of the scenario you tried and the problem that is occurring
when we use this module, we found it’s blocked by following group policy, which somehow is set on domain controller.
Network access - Restrict clients allowed to make remote calls to SAM - Windows security | Microsoft Docs.
error at function Get-TargetResource in file MSFT_GroupResource.psm1
Verbose logs showing the problem
Network trace shows the SAMR connection failed with status 0x5 which means “Access Denied”. Also it shows the computer account is used. So when the GPO "Restrict clients allowed to make remote calls to SAM" is set on domain controller and not allowing computer account, this DSC command fails when it use function Get-TargetResource.
Suggested solution to the issue
It’s possible some domain admins following CIS recommendation to set it that way – See following picture, althought CIS actually only recommends the “member server” not domain controller.
Would you please consider to change the code from using SAMR to LDAP protocol which won’t be impacted by the GPO?
The DSC configuration that is used to reproduce the issue (as detailed as possible)
We firstly configure a group in Administrators
It runs successfully.
Secondly, add another group, it shows the error.
The operating system the target node is running
Version and build of PowerShell the target node is running
Version of the DSC module that was used ('dev' if using current dev branch)
Not exactly sure, but should be the official version, not dev.
The text was updated successfully, but these errors were encountered: