WIN2019 MID Servers performing SAMR queries on users when upgrading or when a patch is applied.

rebbert · ‎08-29-2022

WIN2019 MID Servers performing SAMR queries on users when upgrading or when a patch is applied.

During the seiccorpdev instance San Diego upgrade on 8/26 starting @ 2:31 am edt ending 3:36 the WIN2019 MID servers performed SAMR queries against azure users. The MID servers were SNMIDCORPDEV01 and SNMIDCORPDEV04. The WIN2012 MID servers never did this.
See attached information from our Security Information and logs from the two MID servers in question. Also attached are the logs from the MID servers during the San Diego upgrade time period.

SK Chand Basha · ‎05-20-2025

Hi @rebbert

Have you find the reasons for it?

SK Chand Basha · ‎05-20-2025

Hi @rebbert

During the MID Server start up, the "net localgroup administrators" command is run when checking if the process has Start / Stop Service permissions. This is used in logic for restarting the MID server from the instance and the AutoUpgrade process.

Please review KB1646558, which includes a workaround to prevent the above check and command from running on your host.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1646558

Mark it Helpful and Accept Solution!! If this helps you to understand.