I make extensive use of them. Anytime I need a service account (for Windows based apps that can utilize them) I use an MSA or GMSA. They work great as they remove the manual password management task from you.
For example, I always install MSSQL servers with them, the required permissions are well documented in regards to what each service requires in which scenarios. To be honest, I can't fathom any app needing that level of permission and I am not sure I would automate one that did... Find out what uses it, I doubt once you know that you will have any trouble inferring the genuine permission requirements... jlc From: [email protected] [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Wednesday, May 24, 2017 2:59 PM To: [email protected] Subject: [NTSysADM] Managed Service Accounts So, I'm doing a regular review of admin accounts and found something odd I want to ask about before I change that I can't find any reference to in Google-land. Our "Enterprise admins" group has a managed service account in it, which I don't think should be there, but I really don't know as we had a new system installed this last year and it's actually our first managed service account, so I don't have another one to compare it to. Although I have participated in the some of the later setup, another domain admin helped with this portion while I was out. So, does anyone who is using managed service accounts see them show up in your Enterprise Admins group, or have any reference to documentation saying it should be there? On the account properties there is no "member of" tab to look at. If it's not supposed to be there I want to remove it and restart the related systems to make sure everything continues to work correctly, but wouldn't want to change it if it's supposed to be there. Thanks, Bonnie
