A new feature in Windows Server 2016 (and available in earlier version by installing an update) adds the policy:
Network access: Restrict clients allowed to make remote calls to SAM
These functions check all DCs for the current state of this policy and allows deleting the key from the registry of all DCs in the domain if needed.
You may read about this feature on MS Docs here.
The function is desinged to run from any computer in the domain given that the AD PowerShell module is available and the account has sufficient privilages on the DCs
To use it just copy the function into a PowerShell session then use any of the example below.
Lists the registry value for the property on all DCs in the domain.
Example
Get-DomainRestrictRemoteSAM | Format-TableDeletes the property on all DCs in the domain.
Example
Remove-DomainRestrictRemoteSAM | Format-Table