Someone took the easy route and rather than figuring out what access the account actually needed, they added it to EAs to solve the problem at hand. You should figure out how to get the ID out of that group.
Thanks, Brian Desmond w - 312.625.1438 | c - 312.731.3132 From: [email protected] [mailto:[email protected]] On Behalf Of Joseph L. Casale Sent: Thursday, May 25, 2017 9:01 AM To: '[email protected]' <[email protected]> Subject: [NTSysADM] RE: Managed Service Accounts Bonnie, The account type in terms of membership is no different than a regular account. When created, it starts out with minimal privileges, you can then apply membership as your requirement needs. They most certainly don't require EA membership for any fundamental operation. jlc From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Thursday, May 25, 2017 7:49 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Managed Service Accounts Thanks, and I already know what it's used for and it doesn't even need domain admin or local admin on the boxes it's used on. I just don't have any others to compare it to but it didn't seem right. So nobody else sees this with their managed service accounts, that they are in their enterprise admins group? I'd love to use more, we just haven't upgraded/replaced any on-prem systems in a while that would need one. Locking the groups down via restricted is something we've discussed before but haven't done, will bring it up again. -Bonnie From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Joseph L. Casale Sent: Wednesday, May 24, 2017 3:09 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Managed Service Accounts I make extensive use of them. Anytime I need a service account (for Windows based apps that can utilize them) I use an MSA or GMSA. They work great as they remove the manual password management task from you. For example, I always install MSSQL servers with them, the required permissions are well documented in regards to what each service requires in which scenarios. To be honest, I can't fathom any app needing that level of permission and I am not sure I would automate one that did... Find out what uses it, I doubt once you know that you will have any trouble inferring the genuine permission requirements... jlc From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Wednesday, May 24, 2017 2:59 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Managed Service Accounts So, I'm doing a regular review of admin accounts and found something odd I want to ask about before I change that I can't find any reference to in Google-land. Our "Enterprise admins" group has a managed service account in it, which I don't think should be there, but I really don't know as we had a new system installed this last year and it's actually our first managed service account, so I don't have another one to compare it to. Although I have participated in the some of the later setup, another domain admin helped with this portion while I was out. So, does anyone who is using managed service accounts see them show up in your Enterprise Admins group, or have any reference to documentation saying it should be there? On the account properties there is no "member of" tab to look at. If it's not supposed to be there I want to remove it and restart the related systems to make sure everything continues to work correctly, but wouldn't want to change it if it's supposed to be there. Thanks, Bonnie
