Hi Richard,
Based as I know, when deploying SCOM Agents to Domain controllers, we might see it goes into a heartbeat failed state.We need to remove the explicit deny for Local System, and add it to the allowed list by the following command:
HSLockdown.exe /A “NT AUTHORITY\SYSTEM”
Here is an article for the reference: (Although the article is for SCOM 2016, it is also applied to SCOM 2019 UR1)
https://kevinholman.com/2016/11/04/deploying-scom-2016-agents-to-domain-controllers-some-assembly-required/
Note: Non-Microosft link, just for the reference.
From your description, I know you want to use lockdown tool to define permission for GMSA account.If the error on DC is also with this account, we can add it to the allowed list. Based on my test, the answer for your question is yes.
For the Account used in HSLockdown, it need to be specified in one of the following fully qualified domain name (FQDN) formats:
- NetBios : DOMAIN\username
- UPN : username@fqdn.com
We can check the msDS-PrincipleName of the GMSA account and assign the permission using the following command:
HSLockdown.exe /A <msDS-PrincipleName of the GMSA account>
Note: please change the infromation to the one in the environment.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.