This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 42%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
network access - restrict clients allowed to make remote calls to SAM
if i'm reading this article correctly, it says "the default security descriptor" is given this right if policy is not configured. and that the "default security descriptor" on workstations and member servers is "administrators", but on domain controllers, it is "everyone". however, i just promoted a bunch of 2016 DCs, and this does not seem to be the case.
i have nothing set in gpo for this setting for domain controllers. if i do RSOP on a DC or a member server, the security descriptor is blank for this setting. if i do gpedit on a domain controller, the local security policy says O:BAG:BAD:(A;;RC;;;BA) and has domain\administrators when i click 'edit security'.
on member servers, i do have this explicitly set to administrators, and rsop has the same security descriptor O:BAG:BAD:(A;;RC;;;BA), but has the localserver\administrators in edit security. (not domain\administrators)
edit - this came up because we use cyberark to automatically rotate certain passwords. so if i have a cyberark-managed account called "CyberarkAccount1," every couple of days, cyberark logs into AD as that account and changes its password. this has been working for years on 2012 R2 domain controllers, which don't have this "restrict clients who can make same calls" setting.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @JohnpCurtiss,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello @JohnpCurtiss,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello @JohnpCurtiss,
Thank you for posting here.
Here are the answers for your references.
Q1: but on domain controllers, it is "everyone". however, i just promoted a bunch of 2016 DCs, and this does not seem to be the case.
A1: By default, we can see the setting is "Not Defined" (we cannot explicitly see Everyone on Domain Controller or see "administrators" on member servers,), but they have such "Existing" setting on different versions of Windows as the article mentioned.
Q2: are 2016 domain controllers really supposed to have "everyone" in this?
A2: Yes, see A1.
Q3: this has been working for years on 2012 R2 domain controllers, which don't have this "restrict clients who can make same calls" setting.
A3: The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the KB articles listed in Applies to section of this topic.
In my lab Windows server 2012 R2 DC, because I did not install KB4012219 on this DC, I cannot see such gpo setting (network access - restrict clients allowed to make remote calls to SAM), either.
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Thank you good
it was still set to "administrators" on all my 2016 dcs, in two separate domains, via their local group policies. I had to set up domain gpos for the domain controllers OUs in each domain explicitly setting this to "everyone." I'm still kind of curious why they didn't switch from "administrators" to "everyone" automatically when they were promoted to dcs, if that is the default setting for dcs. but I guess that's moot now.
Hello @JohnpCurtiss,
Thank you for your update.
I checked my lab, the default setting in Default Domain Controller Policy and local group policy on DC is as below.
And I check the setting in Default Domain Policy and one member server is the same "Not Define" as screenshot above.
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.