Summary

When NTLM is restricted (specifically, outgoing NTLM) on a workstation or server, JIT groups added via Group Policy may not apply correctly.

Cause

NTLM is often disabled on Windows using the following Group Policy settings found in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:

• Network security: Restrict NTLM: Incoming NTLM traffic – "Deny All Accounts"

• Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers – "Deny All"

Another Group Policy setting, commonly appearing in configuration benchmarks, is known to cause issues when NTLM is restricted: "Enable RPC Endpoint Mapper Client Authentication"

At the time of writing (August 2023), Microsoft documentation states that these two settings are incompatible.

Resolution

To quote Microsoft's documentation:

It's encouraged to move away from NTLM to better secure your environment. If faced with a choice between restricting NTLM and using EnableAuthEpResolution, the recommended approach is that you restrict NTLM in your environment.

Once RPC Endpoint Mapper Client Authentication (EnableAuthEpResolution) is disabled, groups should sucessfully apply using Group Policy after a reboot.

Detailed Explanation

When making changes to Local Users and Groups via GPO, Windows needs to be aware of the security identifier (SID) of the group.

Typically, when a group is added to a local group on a computer via GPO, the SID is precomputed, as the exact group to be added is already known. However, when the name of the group contains a variable - such as %computername% - SIDs are not pre-computed in the policy (as the group name will depend on the machine itself).

As a result, Windows uses the LsaLookupNames2 function from ntsecapi.h to transform security group names (e.g. DOMAIN\Group) into security identifiers (SIDs) on the client.

The first part of this process is for the client to connect to a domain controller and call Endpoint Mapper (TCP 135). This allows the client to identify the port on which to connect to the MS-LSAT service.

However, when EnableAuthEpResolution is enabled, the RPC Endpoint Mapper Client will use NTLMSSP to authenticate to the Endpoint Mapper Service on the domain controller. As NTLM is disabled on the client, this connection fails!

This authentication failure means that the resolution of the group name fails. As a result, the group is never added to the local group on the workstation or server.