Occasional Contributor

I recently deployed Azure ATP to a enveriement running Windows 2012 R2 and older machines. During the configuration Azure ATP service account was added to Network access - Restrict clients allowed to make remote calls to SAM and pushed out to all machines via default domain policy as required for lateral movement detection.


Shortly after this change users were denied access through RDS, domain admins were still able to use RDS. As a workaround selected users were added to the Network access - Restrict clients allowed to make remote calls to SAM policy to restore service.


I've done some research and did not come across any article around configuration conflicts between the remote calls to SAM policy and RDS service. One article I was able to find talks about changes to RDS in Windows Server 2016, where RCM no longer queries the user's object in AD DS which may or may not be related.


Had anyone came across this issue? Anyone have a better understanding of RDS, how SAM-RPC is used, and what the recommended configuration is.