Defender ATP doesnt remove old service account when switched te new account

Question

Good day all,&nbsp;Last week i wanted to setup a gmsa account instead of a user account for ATP Defender for identity service.I had a test account which i later changed to the new one.&nbsp;The new gMSA account works fine now.&nbsp;But the thing is:I have removed the old testgmsa account but the old account somehow are still being reported that the credentials are not correct. The issues keeps popping up in our portal.Does anyone have seen this behaviour? And is there a fix for this?

eliofek · Answer

Close the alert, if it says closed it's OK, if it reopens let me know.
We close the alert if we see the credentials fixed, but in this case you removed it while they were in error, so we are not reporting it fixed to auto close this.

manuell665 · Answer

Thanks for your quick reply! unfortunatly the alert immediatly re-opens when i close the alert.

eliofek · Answer

this account is no longer in the credentials list in the MDI portal ? can you make sure?
are all sensors currently reporting healthy ?
is it possible not all sensors can pull the gmsa's password for the new credentials ?

manuelll1310 · Answer

EliOfek&nbsp;&nbsp;Correct. All sensors installed and confirmed as "running" ands report healthy. The current account is working.&nbsp;I did a test just to switched to a non-existing account and switch back to the current working account.&nbsp;And now two accounts reports credential failures, even though they are not existing and not selected as account.&nbsp;&nbsp;I can also confirm that all dc's are in the gmsa group for receiving password.

eliofek · Answer

Weird, this seems too challenging for a forum troubleshooting, please open a support case for this one, so the engineer can collect sensor logs and check why the sensors keep using the old credentials.

Forum Discussion

Defender ATP doesnt remove old service account when switched te new account

Share

Resources