Forum Discussion
Azure ATP Group Managed Service Account (gMSA)
bryanb The main requirement for the creation of the gMSA is indeed the PrincipalsAllowedToRetrieveManagedPassword attribute which points to a group that contains the computer accounts with the sensor installed (you can use the Domain Controller group or a dedicated group for that).
Or Tsemah
Thanks for the response. Something else we found during testing.
We have read-only domain controllers so that is a different group that needs to be added to gmsa properties.
We had to grant the gMSA logon rights as service to each domain controller. A standard account did not require this OS right on the ADDS servers.
- Yes, that's why you should consider using dedicated groups
Regarding the log in as a Service permission, you can view possible workaround in here: https://techcommunity.microsoft.com/t5/azure-advanced-threat-protection/azure-atp-service-not-starting/m-p/1368747#M1175Or Tsemah Thanks, that is probably the same issue we have with the logon rights.
Dedicated groups work also. The disadvantage for us is remembering to add the computers to that group as part of a ADDS server deployment.
- We are also evaluating putting sensors on additional components, which is another (future) reason for dedicated groups