It's been years since I have used a product that "required" its MSA to be in the Enterprise Admins group, and even then it was suspect. I can't recall the specific app to provide more details, but the oddity of it stands out in my memory. In the end, it depends on the app and what its doing.
If your MSA doesn't require cross-domain permissions, then it doesn't belong in the Enterprise Admins group. This document highlights some examples of Enterprise Admins group requirements: http://www.w2k.vt.edu/docs/EAScenarios.pdf -- Espi On Thu, May 25, 2017 at 6:48 AM, Miller Bonnie L. < [email protected]> wrote: > Thanks, and I already know what it’s used for and it doesn’t even need > domain admin or local admin on the boxes it’s used on. I just don’t have > any others to compare it to but it didn’t seem right. So nobody else sees > this with their managed service accounts, that they are in their enterprise > admins group? > > > > I’d love to use more, we just haven’t upgraded/replaced any on-prem > systems in a while that would need one. Locking the groups down via > restricted is something we’ve discussed before but haven’t done, will bring > it up again. > > > > -Bonnie > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Joseph L. Casale > *Sent:* Wednesday, May 24, 2017 3:09 PM > *To:* [email protected] > *Subject:* [NTSysADM] RE: Managed Service Accounts > > > > I make extensive use of them. Anytime I need a service account (for > Windows based apps that can utilize them) I use an MSA or GMSA. They work > great as they remove the manual password management task from you. > > > > For example, I always install MSSQL servers with them, the required > permissions are well documented in regards to what each service requires in > which scenarios. > > > > To be honest, I can’t fathom any app needing that level of permission and > I am not sure I would automate one that did… Find out what uses it, I > doubt once you know that you will have any trouble inferring the genuine > permission requirements… > > > > jlc > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com <[email protected]>] *On Behalf Of *Miller > Bonnie L. > *Sent:* Wednesday, May 24, 2017 2:59 PM > *To:* [email protected] > *Subject:* [NTSysADM] Managed Service Accounts > > > > So, I’m doing a regular review of admin accounts and found something odd I > want to ask about before I change that I can’t find any reference to in > Google-land. Our “Enterprise admins” group has a managed service account > in it, which I don’t think should be there, but I really don’t know as we > had a new system installed this last year and it’s actually our first > managed service account, so I don’t have another one to compare it to. > Although I have participated in the some of the later setup, another domain > admin helped with this portion while I was out. > > > So, does anyone who is using managed service accounts see them show up in > your Enterprise Admins group, or have any reference to documentation saying > it should be there? On the account properties there is no “member of” tab > to look at. > > > > If it’s not supposed to be there I want to remove it and restart the > related systems to make sure everything continues to work correctly, but > wouldn’t want to change it if it’s supposed to be there. > > > > Thanks, > Bonnie >
