Hello @Sakura434 ,
Thank you for posting here.
I have check 2016 DC in my lab.
By default, the following settings are not defined in Default Domain Policy.
Domain member: Digitally encrypt or sign secure channel data (always)==>Not defined
Domain member: Digitally encrypt secure channel data (when possible)==>Not defined
Domain member: Digitally sign secure channel data (when possible)==>Not defined
Domain member: Disable machine account password changes==>Not defined
Network access: Restrict clients allowed to make remote calls to SAM==>Not defined
the following settings are not defined in Default Domain Controller Policy except the first settings.
Domain member: Digitally encrypt or sign secure channel data (always)==>Enabled
Domain member: Digitally encrypt secure channel data (when possible)==>Not defined
Domain member: Digitally sign secure channel data (when possible)==>Not defined
Domain member: Disable machine account password changes==>Not defined
Network access: Restrict clients allowed to make remote calls to SAM==>Not defined
Q: Network access: Restrict clients allowed to make remote calls to SAM ----- >what happened if configure these both server and client
A: If the policy is defined, admin tools, scripts and software that formerly enumerated users, groups and group membership may fail.
For more information, please refer to link below.
Network access: Restrict clients allowed to make remote calls to SAM
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.