MSFT_GroupResource: SAMR can be blocked by domain controller GPO in Get-TargetResource

[tylerdums]

Details of the scenario you tried and the problem that is occurring

when we use this module, we found it’s blocked by following group policy, which somehow is set on domain controller.

Network access - Restrict clients allowed to make remote calls to SAM - Windows security | Microsoft Docs.

error at function Get-TargetResource in file MSFT_GroupResource.psm1

Verbose logs showing the problem

Network trace shows the SAMR connection failed with status 0x5 which means “Access Denied”. Also it shows the computer account is used. So when the GPO "Restrict clients allowed to make remote calls to SAM" is set on domain controller and not allowing computer account, this DSC command fails when it use function Get-TargetResource.

Suggested solution to the issue

It’s possible some domain admins following CIS recommendation to set it that way – See following picture, althought CIS actually only recommends the “member server” not domain controller. Would you please consider to change the code from using SAMR to LDAP protocol which won’t be impacted by the GPO?

The DSC configuration that is used to reproduce the issue (as detailed as possible)

We firstly configure a group in Administrators It runs successfully. Secondly, add another group, it shows the error.

The operating system the target node is running

Version and build of PowerShell the target node is running

Version of the DSC module that was used ('dev' if using current dev branch)

Not exactly sure, but should be the official version, not dev.

[tylerdums]

We have done some further research and think the issue is when Find-Principal uses .net System.DirectoryServices.AccountManagement, which could by design use SAMR (RPC call to SAM), which can potentially get blocked, when domain controller has configured network-access-restrict-clients-allowed-to-make-remote-sam-calls. We have asked our AD admin to set per Microsoft default value. For long term, if Find-Principal uses other mechanism which leverage LDAP/Kerberos call instead of SAMR, this issue can be bypassed. It's possible any domain admin wants to restrict SAMR read permission or security admin wants to block RPC against SAM. To make this DSC module work with the group policy, it needs exemption of all domain member machines, which may raise some security concern.