May 06 2020 01:33 PM
Hi Azure ATP Team,
my Azure ATP is configured runs with a Group Managed Service Account to read the ADDS. Why ATP Alert my abount "Read-only user password to expire shortly" by a GMSA?
Kind Regards
Steve
May 13 2020 01:06 AM
Hi @jazzer
Are you still seeing the health alert on the gMSA?
Are the sensors still working?
Thanks
Gershon [MSFT]
May 13 2020 12:46 PM
Yes the Alert is still active and the Sensors are still working. I want the system to manage the password. I don't want to have to set the gmsa to Password never expiere!
The Medium Alert is:
A health issue occurred in contoso
The password for the read-only user, contoso.com\gmsa-ATPSensor$, expires on 5/29/2020 6:58:43 AM UTC. The read-only user is used by the Sensor services to perform LDAP queries against the domain controllers in the environment. If the password expires, the system will stop functioning as expected.
May 13 2020 12:59 PM - edited May 13 2020 01:07 PM
@jazzer What is the password expiry policy for this account/domain ?
The default for gmsa is to roll passwords once a month. any chance you changed it to something lower?
May 13 2020 01:20 PM
HIi @EliOfek
what you mean by "changed it to something lower". The purpose of a gmsa is that the system manages and changes the password, like a computer account. In what intervals the system changes the password should be left to the system. If we can already use a gmsa account in ATP, it should also be able to handle it and do not alert my about a password expiration.
The Password Policy is like:
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
May 13 2020 01:37 PM
SolutionThe fact that we even alert on gmsa accounts is a bug, you don't have anything to do in that regards...
There is no question about it..
I asked because I am trying to figure out why it pops in your case and not in others.
by default, when you define the gmsa account, it's password expiry policy is 1 month, but you can change it. my question was if you changed it to something lower than 1 month...
May 14 2020 12:53 AM
Hi @EliOfek
Thanks for your clear statement that this is a BUG. No we did not change the time for the password change policy on the GMSA Account. Should we do any configuration on the GMSA account to bypass the alert? Please let me know.
Regards Steve
May 14 2020 01:48 AM
@jazzer My suggestion is not to mess with it until we manage to fix it. given that you didn't change anything from default, I would suggest to leave it as is and ignore it for now.
Oct 16 2020 06:22 AM
hi @EliOfek,
I have the same problem, sensor version 2.128.8744.
The bug is still not fixed?
Thanks
Mike
Oct 16 2020 12:57 PM
@Michele D'Angelantonio Sadly no, it's prioritized low as it's not causing any real issues on detection.
you can just ignore those alert for gmsa accounts until we fix it.
May 13 2020 01:37 PM
SolutionThe fact that we even alert on gmsa accounts is a bug, you don't have anything to do in that regards...
There is no question about it..
I asked because I am trying to figure out why it pops in your case and not in others.
by default, when you define the gmsa account, it's password expiry policy is 1 month, but you can change it. my question was if you changed it to something lower than 1 month...