Forum Discussion

ShimKwan's avatar
ShimKwan
Brass Contributor
Jul 08, 2024
Solved

MDI & gMSA config

Hi,

 

We have followed the MDI Deployment guide from Microsoft: https://learn.microsoft.com/en-us/defender-for-identity/deploy/deploy-defender-identity

 

We have also cross referenced this guide: https://jeffreyappel.nl/how-to-implement-defender-for-identity-and-configure-all-prerequisites/

 

The MDI Portal shows the gMSA account.

The MDI agents are running fine and reporting to the MDI Portal.

However, when we look at Services.msc on the Domain Controllers, the MDI agent runs under the security context of "Local Service" and not the gMSA account.

 

Can anyone advise us on whether this is correct? or should we see the gMSA account in Service.msc console? And what other config may be required to make it run under the gMSA account?

 

Thank you

SK

 

(screenshot below)

 

 

 

identity protection
Sensor
  • EliOfek's avatar
    EliOfek
    Jul 08, 2024

    ShimKwan This is by design.

    The service should be running as local service.

    We only use gmsa for specifc outgoing connections like ldap and samr. (Pottentially using multiple creds). 

2 Replies

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Jul 08, 2024

    ShimKwan This is by design.

    The service should be running as local service.

    We only use gmsa for specifc outgoing connections like ldap and samr. (Pottentially using multiple creds). 

    • ShimKwan's avatar
      ShimKwan
      Brass Contributor
      Jul 08, 2024
      Hi EliOfek,

      Thank you so much for your quick reply - we've been scratching our heads thinking we should see the gMSA account appear in the Service.msc console.

      In that case our deployment is running as it should 🙂

      Thank you again !

      PS. Perhaps one day someone will update the MS site with the expected behavior under the gMSA config page: https://learn.microsoft.com/en-us/defender-for-identity/deploy/create-directory-service-account-gmsa

Resources