From e55fb71571f441bc212c53e22da201b73bda9f80 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 24 May 2017 09:44:31 -0700 Subject: [PATCH] copyedit --- ...-access-restrict-clients-allowed-to-make-remote-sam-calls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index c9343fce95..692ad4696a 100644 --- a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -107,7 +107,7 @@ Audit only mode configures the SAM interface to do the access check against the There are corresponding events that indicate when remote calls to the SAM are restricted, what accounts attempted to read from the SAM database, and more. The following workflow is recommended to identify applications that may be affected by restricting remote calls to SAM: 1. Dump event logs to a common share. 2. Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script. -3. Review Event IDs 16962 to 16969, as listed in the following table, in the System log with event source Directory-Service-SAM.
+3. Review Event IDs 16962 to 16969, as listed in the following table, in the System log with event source Directory-Service-SAM. 4. Identify which security contexts are enumerating users or groups in the SAM database. 5. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string.