We are trying to get AWS SSM working with our domain-joined Windows machines. However, upon join to domain and move to a 'normal' OU, the ssm-user account gets disabled at some point.
We can re-enable the account without issue. Reboot, run gpupdate, etc. BUT, as soon as we try to use AWS SSM to connect, the account gets disabled again. No event in Event Viewer saying the account got disabled. (Expecting something in the Security Event log; did check the other primary logs, but there was nothing there as well).
The only bits I can find are a Security Log event id 4625: Audit Failure. This shows logon type = 3 (Network)
This (overall) might be related to the GPO: 'deny access to this computer from the network' But the GPO doesn't say it will disable a failing account.
Has anyone seen this happen before? Any insight perhaps?
Linux devices work fine. Even though added to domain (no linux targeting GPOs as of yet). Non-domain joined Windows devices also function with SSM/ssm-user just fine. I did a few full reviews of gpresult on different machines. I manually combed through the GPOs in the tree down to the normal OU for these machines: I found nothing significant/screaming: Disable the ssm-user account or disable all accounts that are local and part of administrators. Just the deny via network logon.