Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defender ATP doesnt remove old service account when switched te new account

Copper Contributor

Good day all,

 

Last week i wanted to setup a gmsa account instead of a user account for ATP Defender for identity service.
I had a test account which i later changed to the new one. 
The new gMSA account works fine now. 
But the thing is:

I have removed the old testgmsa account but the old account somehow are still being reported that the credentials are not correct. The issues keeps popping up in our portal.defenderatp.jpg
Does anyone have seen this behaviour? And is there a fix for this?

6 Replies
Close the alert, if it says closed it's OK, if it reopens let me know.
We close the alert if we see the credentials fixed, but in this case you removed it while they were in error, so we are not reporting it fixed to auto close this.
Thanks for your quick reply! unfortunatly the alert immediatly re-opens when i close the alert.
this account is no longer in the credentials list in the MDI portal ? can you make sure?
are all sensors currently reporting healthy ?
is it possible not all sensors can pull the gmsa's password for the new credentials ?

@Eli Ofek 

 

Correct. All sensors installed and confirmed as "running" ands report healthy. The current account is working. 

I did a test just to switched to a non-existing account and switch back to the current working account. 

And now two accounts reports credential failures, even though they are not existing and not selected as account. 

 

I can also confirm that all dc's are in the gmsa group for receiving password.

Weird, this seems too challenging for a forum troubleshooting, please open a support case for this one, so the engineer can collect sensor logs and check why the sensors keep using the old credentials.
Oke, i will do that!And thanks anyway for your efforts!