Recently I noticed that every few days, at (almost) the same time, one host is querying the Domain Controller for group members using SAMR calls. I am trying to understand why its happening continuously around the same time? is there a legitimate service that are automated to do so?
And how can I investigate that at the host level?
