Apr 28 2020 02:55 PM - edited May 05 2020 02:59 AM
Hello,
We are switching our service account for ATP to a gMSA.
We are following the gMSA guidance in this article: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites
Do you have any guidance for the following gMSA properties, or any other gMSA properties:
-ServicePrincipalNames <string[]>
-KerberosEncryptionType AES128,AES256
-ManagedPasswordIntervalInDays xx
I assume the PrincipalsAllowedToRetrieveManagedPassword will be set to the built-in Group “Domain Controllers”, correct?
Thank you
May 05 2020 01:04 AM
@bryanb The main requirement for the creation of the gMSA is indeed the PrincipalsAllowedToRetrieveManagedPassword attribute which points to a group that contains the computer accounts with the sensor installed (you can use the Domain Controller group or a dedicated group for that).
May 07 2020 10:10 AM
@Or Tsemah
Thanks for the response. Something else we found during testing.
We have read-only domain controllers so that is a different group that needs to be added to gmsa properties.
We had to grant the gMSA logon rights as service to each domain controller. A standard account did not require this OS right on the ADDS servers.
May 07 2020 10:15 AM
May 07 2020 02:36 PM
@Or Tsemah Thanks, that is probably the same issue we have with the logon rights.
Dedicated groups work also. The disadvantage for us is remembering to add the computers to that group as part of a ADDS server deployment.
May 07 2020 10:47 PM
Jul 07 2020 12:32 AM
@bryanb What is the recommended approach with a gMSA account when you have multiple domains in the forest. Can we use single gMSA created in forest root domain to use on all the child domains, or would you need a gMSA for each domain in the forest?
Nov 20 2020 01:28 PM
@JohanHeyneke OMG - that stinks no one answered your question.
You can absolutely use a single GMSA for your entire forest.