@mcliviu have you ever looked at the baseline security policies for Windows?

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines

 

It specifies the following should be set for Windows clients and member servers

Network access: Restrict clients allowed to make remote calls to SAM

O:BAG:BAD:(A;;RC;;;BA)

 

Domain Controllers are listed as blank. Which I think is required to allow a DC to work correctly.

 

I thought by default the remote SAM was open to Anon access? Or is that when the domain has gone through upgrades from early versions? So if it's not open, I would have thought you already had a GPO in place that was locking it down? If you're locking it down via GPO you should be able to add the AATP account to that GPO.

 

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE