Nope, and thanks to all for confirming. I already removed it and restarted servers this morning with no issues in the software functionality, and everyone is now aware in case something crops up.
I’d be curious to know what your product was that required it? This is a third party centralized video camera security monitoring solution for our schools that runs on a customized WS12R2 on custom Dell hardware. New server systems and cameras are still being brought online as they retrofit and replace old cameras and scale up to eventually include coverage for all sites. From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Thursday, May 25, 2017 11:27 AM To: [email protected] Subject: Re: [NTSysADM] RE: Managed Service Accounts It's been years since I have used a product that "required" its MSA to be in the Enterprise Admins group, and even then it was suspect. I can't recall the specific app to provide more details, but the oddity of it stands out in my memory. In the end, it depends on the app and what its doing. If your MSA doesn't require cross-domain permissions, then it doesn't belong in the Enterprise Admins group. This document highlights some examples of Enterprise Admins group requirements: http://www.w2k.vt.edu/docs/EAScenarios.pdf -- Espi On Thu, May 25, 2017 at 6:48 AM, Miller Bonnie L. <[email protected]<mailto:[email protected]>> wrote: Thanks, and I already know what it’s used for and it doesn’t even need domain admin or local admin on the boxes it’s used on. I just don’t have any others to compare it to but it didn’t seem right. So nobody else sees this with their managed service accounts, that they are in their enterprise admins group? I’d love to use more, we just haven’t upgraded/replaced any on-prem systems in a while that would need one. Locking the groups down via restricted is something we’ve discussed before but haven’t done, will bring it up again. -Bonnie From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Joseph L. Casale Sent: Wednesday, May 24, 2017 3:09 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Managed Service Accounts I make extensive use of them. Anytime I need a service account (for Windows based apps that can utilize them) I use an MSA or GMSA. They work great as they remove the manual password management task from you. For example, I always install MSSQL servers with them, the required permissions are well documented in regards to what each service requires in which scenarios. To be honest, I can’t fathom any app needing that level of permission and I am not sure I would automate one that did… Find out what uses it, I doubt once you know that you will have any trouble inferring the genuine permission requirements… jlc From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Wednesday, May 24, 2017 2:59 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Managed Service Accounts So, I’m doing a regular review of admin accounts and found something odd I want to ask about before I change that I can’t find any reference to in Google-land. Our “Enterprise admins” group has a managed service account in it, which I don’t think should be there, but I really don’t know as we had a new system installed this last year and it’s actually our first managed service account, so I don’t have another one to compare it to. Although I have participated in the some of the later setup, another domain admin helped with this portion while I was out. So, does anyone who is using managed service accounts see them show up in your Enterprise Admins group, or have any reference to documentation saying it should be there? On the account properties there is no “member of” tab to look at. If it’s not supposed to be there I want to remove it and restart the related systems to make sure everything continues to work correctly, but wouldn’t want to change it if it’s supposed to be there. Thanks, Bonnie
