Microsoft windows directory services sam

Last Updated on March 19, 2023 by

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender for Identity and it’s benefits. I also talked about the prerequisites. In that list, I mentioned that we required Directory Service Account(DSA) to connect to Active Directory forest.

There are two types of DSAs we can use for this task.

1) Regular Active Directory user account
2) Group Managed Service Account (gMSA)

From above, the regular user account is the easiest to setup but that required to manage password manually. Even though this account will only have read-permission on all the objects, it is still create a security risk. Therefore the recommended type for DSA is gMSA. In this article I am going to demonstrate how to create gMSA account with relevant permissions. If you are new to gMSA term, please read following article to get understanding about gMSA. https://www.rebeladmin.com/2018/02/step-step-guide-work-group-managed-service-accounts-gmsa-powershell-guide/

Role of DSA

The DSA required read permission for all AD objects. But why? We need DSA to do following tasks.

1) In initial setup of Microsoft Defender for Identity sensor, we use LDAP to connect to domain controller. This required user name and a password.
2) MDI sensor need to query domain controller to find data about objects appeared in events, traffic.
3) The MDI sensor which act as “domain synchronizer” will connect to domain and track changes of objects and attributes.
4) MDI need to query about members of local administrator group by using SAM-R protocol. For that DSA should have remote access rights to the device.

Apart from that there are few other things you need to consider before setting up DSA.

1) DSA should read-only access to all the objects in Active Directory (including deleted object container).
2) If it is multi-domain/multi-forest environment, you can use one DSA as long as it has read permissions to all the objects. But if it is disconnected environment, each forest should have a DSA account.
3) By default MDI support for 30 DSA accounts, if its more than that you need to contact MDI support.
4) It is recommended to create DSA entry in root domain.
5) It is possible to use both types of DSA accounts in a configuration but gMSA entries get the priority in the processing order.
6) If MDI sensor cant do LDAP authentication in the start-up, the sensor will not enter running state.

When we use gMSA account as a DSA, the sensor should have permission to retrieve the password from Active Directory. The best way to do this is to create security group and assign Domain controllers and ADFS servers to it. Then grant permission by using -PrincipalsAllowedToRetrieveManagedPassword to the group. If you are not planning to use ADFS, you can also use built-in Domain Controllers security group for this.

Let’s start the configuration process by creating Global Security group.

1) Log in to Domain Controller as Domain Admistrator.
2) Run New-ADGroup -Name “MDISensorGrp” -GroupCategory Security -GroupScope Global -Path “OU=Servers,DC=rebeladmin,DC=com”

Create Active Directory Security Group

3) This will create a global security group called “MDISensorGrp”. Path of the above command should change according to your environment.

Active Directory Group Properties

After the group is in place, we need to add all the Domain Controllers and ADFS servers to it. If you add a server to the group later on, that new server will not get permission until new Kerberos ticket is issued. You can get new Kerberos ticket by rebooting the server. Also you can purge existing tickets and it will force domain controller to request new ticket. We can do this by running klist purge -li 0x3e7 command as an administrator.

The next step of this configuration is to assign members to the newly created user group.

Add-ADGroupMember -identity “MDISensorGrp” -Members PDC01$,SDC01$

In above, I am adding PDC01 & SDC01 domain controllers to the “MDISensorGrp” security group. Please note you need to add $ to the end of the hostname as it is the pattern of the sAMAccountName.

sAMAccountName Value for the Domain Controller

Now we have the group in place. Next step of the configuration is to create the gMSA account.

New-ADServiceAccount -Name mdisvc01 -DNSHostName “mdisvc01.rebeladmin.com” -PrincipalsAllowedToRetrieveManagedPassword MDISensorGrp

Create new gMSA account for Defender for Identity

In above mdisvc01 is the gMSA account name. We are granting password retrieve permission to MDISensorGrp security group by using -PrincipalsAllowedToRetrieveManagedPassword

Note – Here I assume to KDS root key is already created by using the Add-KdsRootKey cmdlet. If not please follow https://www.rebeladmin.com/2018/02/step-step-guide-work-group-managed-service-accounts-gmsa-powershell-guide/ and create KDC root key.

After account is in place, we can go ahead and install the account in each server by using,

Install-ADServiceAccount -Identity mdisvc01

Note – If you get access denied error, please restart the server to apply permissions.

Once account is installed, we can test it using,

Test-ADServiceAccount -Identity mdisvc01

Test gMsa Account

This completes the gMSA setup and installation.

Configure SAM-R permissions

MDI uses SAM-R protocol to query about members of local administrator group. To do this, DSA account should have specific remote access permissions. We can use GPO to apply this permissions.

1) Create New GPO or select existing GPO for this task. This policy should apply to all computers except Domain Controllers.
2) Open the policy using Group Policy Management Editor and go to Computer configuration | Policies | Windows settings | Security settings | Local policies | Security options
3) Then open policy Network access – Restrict clients allowed to make remote calls to SAM

Group Policy setting for SAM-R queries

4) Then click on Define this policy setting

5) Click on Edit Security … button and then add DSA account to the list.

Add remote access permission to Defender for Cloud service account

6) Then click on OK to apply the changes.

Note : If you define Access this computer from the network policy setting in any GPO, you need to add DSA account to the list. This policy is located under Computer Configuration | Policies | Windows Settings | Local Policies | User Right Assignment

******* Updates ***************************

  1. RODC’s should also have permission to use gMSA account.
  2. MDI will no longer support Windows Server 2008 R2 from 15/6/2022
  3. Validate the SAM-R hotfixes as listed in Network access – Restrict clients allowed to make remote calls to SAM – Windows security | Microsoft Docs
  4. SAM-R Network access: Restrict clients allowed to make remote calls to SAM policy can break applications that uses AuthZ interface. ex- MS Exchange 2016, 2013. If you use such applications, use steps describe in Access checks fail because of AuthZ – Windows Server | Microsoft Docs to fix the issue.
  5. If you are using GPO to manage “log on as service” accounts, make sure you add MDI service account to that. Otherwise the sensor service will not start.
  6. Service Account should have read-only permissions on the Deleted Objects container. This allow Defender for Identity to detect user deletions from your Active Directory. when you are granting permission the ownership for the ACL should change first as default ACL is system only. dsacls “CN=Deleted Objects,DC=rebeladmin,dc=com” /takeownership Also When adding the gMSA to the ACL, a ‘$’ suffix must be used or an error will be received, “No Sid Found for rebeladmin.com\aatp No mapping between account names and security IDs was done.” dsacls “CN=Deleted Objects,DC=rebeladmin,dc=com” /g rebeladmin\gmsa$:LCRP

**** Special thanks to Ben Robinson – Microsoft Security Architecture for valuable feedback *****

Now we have a DSA ready for the deployment. In next blog post I will demonstrate how to enable Advanced auditing for MDI. Meantime If you have any questions, feel free to contact me on rebeladm@live.com also follow me on Twitter @rebeladm to get updates about new blog posts.

I’ve got a client with a 2008 SBS running SQL 2005 Express. About a week ago they blew a breaker in the server room and the UPS ran out of battery and didn’t shut down the server properly. Ever since then, I’ve noticed some odd things occurring, most notably
are the new errors in the Event Viewer, which seem to come hand-in-hand. I’ve scoured Google for quite some time and haven’t found much, but might end up booting into DSRM and using ntdsutil to rebuild/repair the NTDS database? I just need some guidance from
an actual person on the other end of the line. Below you will find the 2 errors that have been occurring. On the SAM 12294 error, I took the hex error code of E50000C0, flipped it around to get C00000E5 and used err.exe to see that it states::

«STATUS_INTERNAL_ERROR                                         ntstatus.h»

Please advise! I have some system state backups from Backup Exec from before the power-outage if that makes things easier. Would it be as easy as just restoring that? Never done a sysstate restore before so not sure if that would work. Also, in the process
of troubleshooting some other database errors, another 3rd party consultant performed the following: A) removed sbsmonitoring instance from SQL server, and B) disabled Windows SharePoint (not an uninstall). But I’m pretty sure these errors preceded him
doing that anyways. 

Any guidance would be met with most welcome ears!!! See 2 errors below. Thanks!

Oh, and I’ve also ran a Consistency Check on the virtual raid 5 volume, and it did find inconsistencies with the parity, but it was able to correct them on its own. And the errors still appear.  

————————————————————————

Log Name:      System

Source:        Microsoft-Windows-Directory-Services-SAM

Date:          3/11/2011 2:23:00 PM

Event ID:      12294

Task Category: None

Level:         Error

Keywords:      Classic

User:          EFREE\SBSMonAcct

Computer:      EFCH2.efree.local

Description:

The SAM database was unable to lockout the account of SBSMonAcct due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please
consider resetting the password of the account mentioned above.

Event Xml:

<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>

  <System>

    <Provider Name=»Microsoft-Windows-Directory-Services-SAM» Guid=»{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}» EventSourceName=»SAM» />

    <EventID Qualifiers=»0″>12294</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime=»2011-03-11T20:23:00.000Z» />

    <EventRecordID>50292</EventRecordID>

    <Correlation />

    <Execution ProcessID=»0″ ThreadID=»0″ />

    <Channel>System</Channel>

    <Computer>EFCH2.efree.local</Computer>

    <Security UserID=»S-1-5-21-3792849115-2531354137-1702924751-3646″ />

  </System>

  <EventData Name=»SAMMSG_LOCKOUT_NOT_UPDATED»>

    <Data Name=»UserName»>SBSMonAcct</Data>

    <Binary>E50000C0</Binary>

  </EventData>

</Event>

——————————————————————————————

Log Name:      Directory Service

Source:        NTDS ISAM

Date:          3/11/2011 2:23:00 PM

Event ID:      467

Task Category: Database Corruption

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      EFCH2.efree.local

Description:

NTDS (640) NTDSA: Database C:\Windows\ntds\ntds.dit: Index DRA_USN_index of table datatable is corrupted (0).

Event Xml:

<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>

  <System>

    <Provider Name=»NTDS ISAM» />

    <EventID Qualifiers=»0″>467</EventID>

    <Level>2</Level>

    <Task>12</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime=»2011-03-11T20:23:00.000Z» />

    <EventRecordID>17649</EventRecordID>

    <Channel>Directory Service</Channel>

    <Computer>EFCH2.efree.local</Computer>

    <Security />

  </System>

  <EventData>

    <Data>NTDS</Data>

    <Data>640</Data>

    <Data>NTDSA: </Data>

    <Data>DRA_USN_index</Data>

    <Data>datatable</Data>

    <Data>C:\Windows\ntds\ntds.dit</Data>

    <Data>0</Data>

  </EventData>

</Event>

  • Deployment image servicing and management tool (dism.exe) : While try to mounting image of the WIM file, i faced an error which are listed…

  • Unable to connect to the internet : «Error 106 ( net::ERR_INTERNET_DISCONNECTED ): The internet connection has been lost» . Th…

  • Event 1017, Security-SPP: Installation of the Proof of Purchase failed . 0xC004F050 Partial Pkey=BBBBB ACID=? Detailed Error [?] log n…

  • Windows update could not be installed because of error 2359302 «» (Command line : «»C:\Windows\system32\ wusa.exe «…

  • Error 200 (net::ERR_CERT_COMMON_NAME_INVALID): Unknown error. I got the above error while try to access the gmail login page on the chrome…

  • Event 131, DeviceSetupManager: Metadata staging failed, result={00000000-0000-0000-FFFF-FFFFFFFFFFFF} for container ‘0x80072F78’ …

  • Event Type mptelemetry,P1 8024402c,P2 endsearch,P3 search,P4 3.0.8107.0,P5 mpsigdwn.dll,P6 3.0.8107.0,P7 microsoft security essentials (e…

  • SharedAccess_NAT: The DHCP allocator has disabled itself on ip address 192.168.1.2,since the IP address is outside the 192.168.137.0/255.2…

  • Session «Microsoft Security Essentials OOBE» stopped due to the following error:0xC000000D Log name :Microsoft-windows-Kernel-E…

  • Gateway resolution failed on interface {766c117a-e333-4f3b-b483-47a55fb39163} for 192.168.1.1 with error : 0x43. Note: For the interface {5…

have a windows 2008 sbs-2007 exchange server… that started getting the following error:
Microsoft-Windows-Directory-Services-SAM-Event ID:      12294
had vpn added/enabled to the existing sonicwall and all was good for a day, don’t know if it is  related, if i unplug the ISP then the sam error seems to go away…Virus? HELP…hope zones are selected correctly for help…

here is whole error;
Log Name:      System
Source:        Microsoft-Windows-Directory-Services-SAM
Date:          10/20/2011 8:36:48 AM
Event ID:      12294
Task Category: None
Level:         Error
Keywords:      Classic
User:          BOXERNW0\administrator
Computer:      PDXSBS.boxernw.int
Description:
The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
Event Xml:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
  <System>
    <Provider Name=»Microsoft-Windows-Directory-Services-SAM» Guid=»{0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE}» EventSourceName=»SAM» />
    <EventID Qualifiers=»0″>12294</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime=»2011-10-20T15:36:48.000Z» />
    <EventRecordID>748101</EventRecordID>
    <Correlation />
    <Execution ProcessID=»0″ ThreadID=»0″ />
    <Channel>System</Channel>
    <Computer>PDXSBS.boxernw.int</Computer>
    <Security UserID=»S-1-5-21-1409082233-1343024091-839522115-500″ />
  </System>
  <EventData Name=»SAMMSG_LOCKOUT_NOT_UPDATED»>
    <Data Name=»UserName»>Administrator</Data>
    <Binary>A50200C0</Binary>
  </EventData>
</Event>

I am getting tons of event id 12294 error messages (got a total of 38 in the last hour and this is consistently how many we get every hour) We are also getting warning messages 1083 pretty consistently as well. In addition to the error message our admin account is getting constantly locked out. How do I go about tracking down the source of these messages and fixing them? Please help!!!

Here is an example of the 12294 message: 

General:

The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

Details:


Provider

[
Name]
Microsoft-Windows-Directory-Services-SAM 

 [
Guid]
{0d4fdc09-8c27-494a-bda0-505e4fd8adae}

EventID
12294 

 Version

 Level

 Task

 Opcode

 Keywords
0x8000000000000000 

 —
TimeCreated

[
SystemTime]
2020-11-17T17:43:47.908651300Z

EventRecordID
260794

Correlation


Execution

[
ProcessID]
608

[
ThreadID]
3664

Channel
System

Computer
DC1.ccc1.local 

 —
Security

[
UserID]
S-1-5-18


EventData

UserName
Administrator 

 A50200C0

Binary data:

In Words

0000: C00002A5

In Bytes

0000: A5 02 00 C0 ¥..À

Example of the 1083 event ID: 

General:

Active Directory Domain Services could not update the following object with changes received from the directory service at the following network address because Active Directory Domain Services was busy processing information.

Object:
CN=Administrator,OU=Administrators,OU=Domain Users,DC=ccc1,DC=local
Network address:
651a1e3a-e3eb-47d5-8a47-f3d75d609530._msdcs.ccc1.local

This operation will be tried again later.

Details:


System


Provider

[
Name]
Microsoft-Windows-ActiveDirectory_DomainService 

 [
Guid]
{0e8478c5-3605-4e8c-8497-1e730c959516} 

 [
EventSourceName]
NTDS
General


EventID
1083

[
Qualifiers]
32768

Version

 Level

 Task

 Opcode

 Keywords
0x8080000000000000


TimeCreated

[
SystemTime]
2020-11-17T17:45:52.457870900Z

EventRecordID
42753


Correlation

[
ActivityID]
{b6c29acb-571d-4b50-ab7c-a20a01efa28e}


Execution

[
ProcessID]
608 

 [
ThreadID]
4720

Channel
Directory
Service

Computer
DC1.ccc1.local


Security

[
UserID]
S-1-5-7


EventData

CN=Administrator,OU=Administrators,OU=Domain
Users,DC=ccc1,DC=local

651a1e3a-e3eb-47d5-8a47-f3d75d609530._msdcs.ccc1.local

  • Microsoft windows devicesetupmanager admin код 131
  • Microsoft windows desktop runtime что это и можно ли удалить
  • Microsoft windows client language pack
  • Microsoft windows desktop runtime что это за программа и нужна ли она
  • Microsoft windows client cbs что это