Forum Discussion

Copper Contributor

Jul 09, 2020

empty timeline, no alerts detected

Hi all. After a good number of implementations with normal service account I tried the first one using gMSA. In the past, when AD Connect had the first sync after the sensor installations, I immedi...

Jonathan Green

Brass Contributor

Jul 17, 2020

My Guess -> Don't add gMSA to domain admins or delegated permissions set.

Make sure your gMSA is correctly set before next step.

Remove AATP Installation.

Remove anything you've added including prior WinPCaps whether it was for Nmap, Suricata, etc.

Make sure your gMSA is correctly set before next step.
- Confirm Portal is correct
- Confirm gMSA has permissions
- Confirm gMSA is allowed to retrieve managed passwords from the group "Domain Controllers".

Reinstall it using a fresh pull from the portal.

Do not go to Services and change anything like the user account. It needs to say as the Local Service.

Hope this helps.

EliOfek

Microsoft

Jul 18, 2020

Jonathan Green , Michele D'Angelantonio Please DO NOT add the gmsa account (or any other account configured for use with AATP) to Domain Admins!

This is a security risk, and is not needed for sure for AATP to run correctly.

the AATP AD account should be a low privileged user with read only access to AD, plus some specific permissions (SAMR, deleted items etc) for enhanced functionality.

Jonathan Green
Brass Contributor
Jul 18, 2020
Eli,
I had to re-read what I wrote, as mentally that wasn't what I was typing. Fixed.
- Michele D'Angelantonio
  Copper Contributor
  Jul 27, 2020
  Jonathan Green , EliOfek thanks for your suggestions.
  Just for update:
  I checked and fixed the gMSA account Domain User membership and now I can see more activities and some alarm.
  I've the last strange problem. On the AD Connect server activity page I can see everityhing but the DC sync activities performed by AD Connect are still missing.
  in other implementations it was the first alerts I had.
  thanks again
  Mike