Event details

If you have an on-premises Active Directory environment, you do not want to miss this session! The AD product group will present and demonstrate some of the new AD capabilities coming in Windows Serv...
Char_Cheesman
Updated Dec 27, 2024
MathiasR's avatar
MathiasR
Brass Contributor
Mar 26, 2024
I love the DMSA migration process, that looks great! What is the end state for a service account that has been succeeded by a DMSA? Can the old account eventually be deleted? I did not catch if the services are reconfigured to use the DMSA as part of this process.
Wayne_McIntyre's avatar
Wayne_McIntyre
Icon for Microsoft rankMicrosoft
Mar 26, 2024
The end state is the account is disabled. In order to delete the account, you would have to update all servers that use this account to instead log on directly with the dmsa account (using the same way you configure a gmsa in services snap in/ task scheduler / SQL / etc...). This is not an automated process and we will publish the manual steps needed if you wanted to completely delete the original account. The benefit at least is you can easily identify all machines where the account is used via the msds-groupMSAmembership attribute (principals allowed to retrieve managed password in the powershell verbiage) AD admins will also need to be careful with automated scripts that delete disabled/stale accounts and be sure to exclude the original service account from these automated cleanup scripts.
  • MathiasR's avatar
    MathiasR
    Brass Contributor
    Mar 26, 2024
    Thanks for explaining that, Wayne, that's how I pictured it. This will help a lot, great feature!