May 18 2022 09:30 PM
Hello, I have followed the steps outlined in the documentation (https://docs.microsoft.com/en-us/defender-for-identity/manage-action-accounts) and (https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-star...). For some reason the Microsoft Tri.Sensor log keeps throwing a System.UnauthorizedAccessException: Access is denied error. I confirmed that all the permissions have been set (tried permissions at both the root level and the OU level) and the account is configured for Log on as a service.
at void System.DirectoryServices.Interop.UnsafeNativeMethods+IAds.SetInfo()
at void System.DirectoryServices.DirectoryEntry.CommitChanges()
at void System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)
at void System.DirectoryServices.AccountManagement.ADStoreCtx.Update(Principal p)
at void Microsoft.Tri.Sensor.EntityRemediator.RemediateUser(UserRemediationAction userRemediationAction)
at void System.Security.Principal.WindowsIdentity.RunImpersonated(SafeAccessTokenHandle safeAccessTokenHandle, Action action)
at void Microsoft.Tri.Sensor.Common.Impersonator.Run(Action action)
at async Task<RemediationActionResultCode> Microsoft.Tri.Sensor.EntityRemediator.RemediateEntityWithAnyImpersonatedGmsaAsync(RemediationAction remediationAction, Action remediateEntity)
2022-05-18 18:02:46.0679 Error UnsafeNativeMethods+IAds RemediateEntityWithAnyImpersonatedGmsaAsync [DomainDnsName=MECM.lab ActionType=DisableUser UserId=c82be145-6fb9-4adf-9246-0ac507842b9e credentialDomain=MECM.lab credentialUserName=mdi-actions]
System.UnauthorizedAccessException: Access is denied.
May 19 2022 11:53 AM