Forum Discussion
jazzer
May 06, 2020Copper Contributor
Medium Alert Read-only user password to expire shortly on GMSA
Hi Azure ATP Team, my Azure ATP is configured runs with a Group Managed Service Account to read the ADDS. Why ATP Alert my abount "Read-only user password to expire shortly" by a GMSA? Kind Rega...
- May 13, 2020
The fact that we even alert on gmsa accounts is a bug, you don't have anything to do in that regards...
There is no question about it..
I asked because I am trying to figure out why it pops in your case and not in others.
by default, when you define the gmsa account, it's password expiry policy is 1 month, but you can change it. my question was if you changed it to something lower than 1 month...
Gerson Levitz
May 13, 2020Iron Contributor
Hi jazzer
Are you still seeing the health alert on the gMSA?
Are the sensors still working?
Thanks
Gershon [MSFT]
jazzer
May 13, 2020Copper Contributor
Yes the Alert is still active and the Sensors are still working. I want the system to manage the password. I don't want to have to set the gmsa to Password never expiere!
The Medium Alert is:
A health issue occurred in contoso
The password for the read-only user, contoso.com\gmsa-ATPSensor$, expires on 5/29/2020 6:58:43 AM UTC. The read-only user is used by the Sensor services to perform LDAP queries against the domain controllers in the environment. If the password expires, the system will stop functioning as expected.
- EliOfekMay 13, 2020
Microsoft
jazzer What is the password expiry policy for this account/domain ?
The default for gmsa is to roll passwords once a month. any chance you changed it to something lower?
- jazzerMay 13, 2020Copper Contributor
HIi EliOfek
what you mean by "changed it to something lower". The purpose of a gmsa is that the system manages and changes the password, like a computer account. In what intervals the system changes the password should be left to the system. If we can already use a gmsa account in ATP, it should also be able to handle it and do not alert my about a password expiration.
The Password Policy is like:
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30- EliOfekMay 13, 2020
Microsoft
The fact that we even alert on gmsa accounts is a bug, you don't have anything to do in that regards...
There is no question about it..
I asked because I am trying to figure out why it pops in your case and not in others.
by default, when you define the gmsa account, it's password expiry policy is 1 month, but you can change it. my question was if you changed it to something lower than 1 month...