05-06-2020 01:33 PM
05-06-2020 01:33 PM
Hi Azure ATP Team,
my Azure ATP is configured runs with a Group Managed Service Account to read the ADDS. Why ATP Alert my abount "Read-only user password to expire shortly" by a GMSA?
05-13-2020 01:06 AM
Are you still seeing the health alert on the gMSA?
Are the sensors still working?
05-13-2020 12:46 PM
Yes the Alert is still active and the Sensors are still working. I want the system to manage the password. I don't want to have to set the gmsa to Password never expiere!
The Medium Alert is:
A health issue occurred in contoso
The password for the read-only user, contoso.com\gmsa-ATPSensor$, expires on 5/29/2020 6:58:43 AM UTC. The read-only user is used by the Sensor services to perform LDAP queries against the domain controllers in the environment. If the password expires, the system will stop functioning as expected.
05-13-2020 12:59 PM - edited 05-13-2020 01:07 PM
@jazzer What is the password expiry policy for this account/domain ?
The default for gmsa is to roll passwords once a month. any chance you changed it to something lower?
05-13-2020 01:20 PM
HIi @Eli Ofek
what you mean by "changed it to something lower". The purpose of a gmsa is that the system manages and changes the password, like a computer account. In what intervals the system changes the password should be left to the system. If we can already use a gmsa account in ATP, it should also be able to handle it and do not alert my about a password expiration.
The Password Policy is like:
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
05-13-2020 01:37 PMSolution
The fact that we even alert on gmsa accounts is a bug, you don't have anything to do in that regards...
There is no question about it..
I asked because I am trying to figure out why it pops in your case and not in others.
by default, when you define the gmsa account, it's password expiry policy is 1 month, but you can change it. my question was if you changed it to something lower than 1 month...
05-14-2020 12:53 AM
Hi @Eli Ofek
Thanks for your clear statement that this is a BUG. No we did not change the time for the password change policy on the GMSA Account. Should we do any configuration on the GMSA account to bypass the alert? Please let me know.
05-14-2020 01:48 AM
@jazzer My suggestion is not to mess with it until we manage to fix it. given that you didn't change anything from default, I would suggest to leave it as is and ignore it for now.
10-16-2020 06:22 AM
hi @Eli Ofek,
I have the same problem, sensor version 2.128.8744.
The bug is still not fixed?
10-16-2020 12:57 PM
@Michele D'Angelantonio Sadly no, it's prioritized low as it's not causing any real issues on detection.
you can just ignore those alert for gmsa accounts until we fix it.