Once that issue is straightened out, you may want to make Enterprise Admins, Schema Admins and Domain Admins restricted groups using Group Policy. Our Enterprise and Schema Admin groups are empty and kept that way by the GPO setting. The setting for Domain Admins is set to allow only the few accounts that really need to be members.
If you do this and something similar happens again, the service account would lose membership as soon as there was a Group Policy refresh. Obviously someone with DA rights could get around this by adding the service account to the policy, but it’s still probably worth doing. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Joseph L. Casale *Sent:* Wednesday, May 24, 2017 6:09 PM *To:* [email protected] *Subject:* [NTSysADM] RE: Managed Service Accounts I make extensive use of them. Anytime I need a service account (for Windows based apps that can utilize them) I use an MSA or GMSA. They work great as they remove the manual password management task from you. For example, I always install MSSQL servers with them, the required permissions are well documented in regards to what each service requires in which scenarios. To be honest, I can’t fathom any app needing that level of permission and I am not sure I would automate one that did… Find out what uses it, I doubt once you know that you will have any trouble inferring the genuine permission requirements… jlc *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Miller Bonnie L. *Sent:* Wednesday, May 24, 2017 2:59 PM *To:* [email protected] *Subject:* [NTSysADM] Managed Service Accounts So, I’m doing a regular review of admin accounts and found something odd I want to ask about before I change that I can’t find any reference to in Google-land. Our “Enterprise admins” group has a managed service account in it, which I don’t think should be there, but I really don’t know as we had a new system installed this last year and it’s actually our first managed service account, so I don’t have another one to compare it to. Although I have participated in the some of the later setup, another domain admin helped with this portion while I was out. So, does anyone who is using managed service accounts see them show up in your Enterprise Admins group, or have any reference to documentation saying it should be there? On the account properties there is no “member of” tab to look at. If it’s not supposed to be there I want to remove it and restart the related systems to make sure everything continues to work correctly, but wouldn’t want to change it if it’s supposed to be there. Thanks, Bonnie
