Forum Discussion
Azure ATP - AD gMSA services accounts to sensor affinity or lack of?
Microsoftaaaaaaaanonymous , If all the 5 domains have full trust, you can use a single gmsa account for all domains, you just need to give all the relevant DCs permissions to get the gmsa password, it should work, will be easier to manage and you won't see those failures.
Sadly there is no way to lock down a sensor to specific credentials manually,
a sensor will lock itself down once it's running to a set of working credentials automatically.
EliOfek Thanks for your reply. Yes Full trust exist 1 root and 4 child. So are you saying If I add my sensor DCs from various domains into one group that is PrincipalsAllowedToRetrieveManagedPassword , for 1 gMSA then it should work?
my testing of multiple DC sensor servers from different domains into one group using 1 gMSA. When running Install-ADServiceAccount or Test-ADServiceAccount : results in errors. is this the fault of the above 2 commands where it only sends request to it's own domain controllers but ATP sensor is smart enough to seek beyond its domain?
- EliOfek
aaaaaaaanonymous
Indeed in our lab, Test-ADServiceAccount will also only work on the same domain, but the sensor still works across the forest if permissions were set correctly, I suggest to try.EliOfek Thank you so much.
Was able to run off one single gMSA. Works well.
So good to have someone from the R&D team here to help answer questions.