Microsoft
Microsoft1) I probably should have brought the discussion up on "Action Account", but we recommend "Using a dedicated gMSA as an action account is optional. We recommend that you use the default settings for the LocalSystem account." So there is nothing to do from an admin user install prespective.
Manage action accounts - Microsoft Defender for Identity | Microsoft Learn
2) I can't comment on license questions, please work with the team you purchased your licensing from.
3) Once the gMSA is created (Using the MDI PoSh cmdlet(s)) there should be no activation required. I verified this by bringing up another DC in my lab to ensure that this worked without any effort on my part. Please see the notification on using any of my PowerShell scripts within the blog itself.
Thanks!
1. Good stuff, the wording has been changed! great to see (in my own scripts i always deploy two, i can now modify to streamline for 1). <3
2. Thanks! Understandable. There are so many uncompliant instances as its not well known that all objects (even if 15.000 inactive or frontlineworker accounts are present that do not use devices, laptops or pc's - but have an userobject in AD) needs to be covered with a license. Many companies buys 500 E5's for their officeworkers but forget the rest.
3. So, localsystem, is there any configuration needed for this account like you do with a separate gMSA action account? to me it seems kinda weird that system account has the access needed to become 'action account' in my Active Directory. But perhaps clicking the 'automaticly use the local system account' in XDR-portal does something in the background configures its access in AD to reset pw and disable accounts (im trying to understand how its granted these rights).
(For anyone reading this, the activation mentioned earlier is: Install-ADServiceAccount -Identity gMSA-Account, which was needed for each DC where gMSA account would be active on)
Keep up the great work :) !
Would love to see how you could bring the powershell module with you to an envoirment that has no internetconnection!
