2

Our Active Directory Domain contains two Managed Service Accounts, MediaAdmin and ServerAdmin:

screenshot

I don't remember adding them, and Google tells me that they are related to the Windows Server Essentials role. Their HostComputers attribute is an empty list, and the last logon timestamp is from over four years ago. This could be the time when we stopped using the Server Essentials features:

PS> Get-ADServiceAccount -Filter * -Properties lastLogonTimestamp | select name,HostComputers,{[DateTime]::fromFileTime($_.lastLogonTimestamp)}

name        HostComputers [DateTime]::fromFileTime($_.lastLogonTimestamp)
----        ------------- -----------------------------------------------
ServerAdmin {}            19.02.2018 15:19:43
MediaAdmin  {}            19.02.2018 15:19:44

The fact that ServerAdmin is in the Domain Admins group makes me a bit uncomfortable. Is it safe (and/or maybe even recommended) to remove those MSAs? As mentioned above, we don't use the Essentials role any more in our domain.

Heinzi
  • 2,217
  • 5
  • 32
  • 52
  • I think this should be tested, but if I had an account in Domain Admins and I didn't know what it was for or didn't think it was necessary I would remove it. Usually these "evictions" occur after something bad has happened, it's good to see people proactively doing this. :-) – Greg Askew Sep 23 '22 at 20:12

1 Answers1

1

My understanding of ServerAdmin (and you should be able to check this) is the account is a group Managed Service Account gMSA) and should be found in that location. In Essentials, it needs to be part of the log on as a service Security Policy and is connected to the distribution of the SSL CA.
gMSA accounts are created to allow a service account to have no password other than one that is issued by Kerberos from the Active Directory or from the actual local server if it is a local service account. Such as it is, you cannot impersonate a managed account by typing in a password. The password, in addition to being pushed out by a service which prevents you from having to change the password on a schedule when it expires, also prevents a user from assuming that identity and logging into the server with that (password) account. If you delete the account, you can also recreate it.

New-ADServiceAccount -Name ServerAdmin -enabled $True

You should be able to check that it is a managed service account through the "Active Directory Users and Computers". If it is a managed account, it will list under "Managed Service Accounts".
The risk would be using this account to run a service that can be manipulated by an unauthorized user. SQL Server, for example, runs under a local managed service account by default, but can be (and should be) transferred to a gMSA. That said, it would not be wise to have SQL Server running under a Domain Admin account as there are many registry manipulations that can be done through SQL Server that you don't want you DBA's administering. By association, the better gMSA for SQL is one with minimum permissions to the ACLs.

Jamie
  • 111
  • 4