Error Message

While adding Windows group under Provisioning Group targets through Vault Admin Console an error is prompted as below:

******************

Unable to list accounts in

Access to the domain controller in domain was denied.

You do not have sufficient privileges to perform this operation. You must have read privileges in domain

******************

The group policy setting Network access: Restrict clients allowed to make remote calls to SAM controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory. 

When this policy setting is enabled within the domain, it can be viewed by navigating to the domain controller that Enterprise Vault is attempting to access to perform the required Active Directory lookups and viewing the registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa on Domain Controller for the value RestrictRemoteSAM of value type REG_SZ.

NOTE: By default the value O:BAG:BAD:(A;;RC;;;BA) is present which give Built-In Administrators permission to enumerate users and groups. 

The Vault Service account (VSA) is required to make remote calls to SAM while adding Windows group under Provisioning Group targets.

In order to give the VSA, the required permissions, below steps can be followed:

• On Domain Controller: navigate to Run command window and type gpedit.msc | Enter.
• Local Group Policy Editor window will be launched.
• Navigate to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
• Under Security Options, select Network access: Restrict clients allowed to make remote calls to SAM | Right click | Properties | Edit Security... | Add | Enter name of VSA as object name | OK.
• Make sure Remote Access is allowed | OK | Apply | OK.

Once the changes have been performed, launch the Vault Admin Console (VAC) and attempt to add Windows group under Provisioning Group targets.