SOLVED

Medium Alert Read-only user password to expire shortly on GMSA

%3CLINGO-SUB%20id%3D%22lingo-sub-1365359%22%20slang%3D%22en-US%22%3EMedium%20Alert%20Read-only%20user%20password%20to%20expire%20shortly%20on%20GMSA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365359%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Azure%20ATP%20Team%2C%3C%2FP%3E%3CP%3Emy%20Azure%20ATP%20is%20configured%20runs%20with%20a%20Group%20Managed%20Service%20Account%20to%20read%20the%20ADDS.%20Why%20ATP%20Alert%20my%20abount%20%22%3CSPAN%3ERead-only%20user%20password%20to%20expire%20shortly%22%20by%20a%20GMSA%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%3C%2FP%3E%3CP%3ESteve%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1385437%22%20slang%3D%22en-US%22%3ERe%3A%20Medium%20Alert%20Read-only%20user%20password%20to%20expire%20shortly%20on%20GMSA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1385437%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F587969%22%20target%3D%22_blank%22%3E%40jazzer%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20you%20still%20seeing%20the%20health%20alert%20on%20the%20gMSA%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20the%20sensors%20still%20working%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EGershon%20%5BMSFT%5D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1387538%22%20slang%3D%22en-US%22%3ERe%3A%20Medium%20Alert%20Read-only%20user%20password%20to%20expire%20shortly%20on%20GMSA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387538%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45656%22%20target%3D%22_blank%22%3E%40Gerson%20Levitz%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20the%20Alert%20is%20still%20active%20and%20the%20Sensors%20are%20still%20working.%26nbsp%3BI%20want%20the%20system%20to%20manage%20the%20password.%20I%20don't%20want%20to%20have%20to%20set%20the%20gmsa%20to%20Password%20never%20expiere!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Medium%20Alert%20is%3A%3C%2FP%3E%3CP%3EA%20health%20issue%20occurred%20in%20contoso%3C%2FP%3E%3CP%3EThe%20password%20for%20the%20read-only%20user%2C%20contoso.com%5Cgmsa-ATPSensor%24%2C%20expires%20on%205%2F29%2F2020%206%3A58%3A43%20AM%20UTC.%20The%20read-only%20user%20is%20used%20by%20the%20Sensor%20services%20to%20perform%20LDAP%20queries%20against%20the%20domain%20controllers%20in%20the%20environment.%20If%20the%20password%20expires%2C%20the%20system%20will%20stop%20functioning%20as%20expected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1387572%22%20slang%3D%22en-US%22%3ERe%3A%20Medium%20Alert%20Read-only%20user%20password%20to%20expire%20shortly%20on%20GMSA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387572%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F587969%22%20target%3D%22_blank%22%3E%40jazzer%3C%2FA%3E%26nbsp%3BWhat%20is%20the%20password%20expiry%20policy%20for%20this%20account%2Fdomain%20%3F%3C%2FP%3E%0A%3CP%3EThe%20default%20for%20gmsa%20is%20to%20roll%20passwords%20once%20a%20month.%20any%20chance%20you%20changed%20it%20to%20something%20lower%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1387610%22%20slang%3D%22en-US%22%3ERe%3A%20Medium%20Alert%20Read-only%20user%20password%20to%20expire%20shortly%20on%20GMSA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387610%22%20slang%3D%22en-US%22%3E%3CP%3EHIi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhat%20you%20mean%20by%20%22%3CSPAN%3Echanged%20it%20to%20something%20lower%22.%26nbsp%3B%26nbsp%3BThe%20purpose%20of%20a%20gmsa%20is%20that%20the%20system%20manages%20and%20changes%20the%20password%2C%20like%20a%20computer%20account.%20In%20what%20intervals%20the%20system%20changes%20the%20password%20should%20be%20left%20to%20the%20system.%20If%20we%20can%20already%20use%20a%20gmsa%20account%20in%20ATP%2C%20it%20should%20also%20be%20able%20to%20handle%20it%20and%20do%20not%20alert%20my%20about%20a%20password%20expiration.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Password%20Policy%20is%20like%3A%3C%2FP%3E%3CP%3EForce%20user%20logoff%20how%20long%20after%20time%20expires%3F%3A%20Never%3CBR%20%2F%3EMinimum%20password%20age%20(days)%3A%201%3CBR%20%2F%3EMaximum%20password%20age%20(days)%3A%2042%3CBR%20%2F%3EMinimum%20password%20length%3A%208%3CBR%20%2F%3ELength%20of%20password%20history%20maintained%3A%2024%3CBR%20%2F%3ELockout%20threshold%3A%20Never%3CBR%20%2F%3ELockout%20duration%20(minutes)%3A%2030%3CBR%20%2F%3ELockout%20observation%20window%20(minutes)%3A%2030%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1387647%22%20slang%3D%22en-US%22%3ERe%3A%20Medium%20Alert%20Read-only%20user%20password%20to%20expire%20shortly%20on%20GMSA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387647%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20fact%20that%20we%20even%20alert%20on%20gmsa%20accounts%20is%20a%20bug%2C%20you%20don't%20have%20anything%20to%20do%20in%20that%20regards...%3C%2FP%3E%0A%3CP%3EThere%20is%20no%20question%20about%20it..%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20asked%20because%20I%20am%20trying%20to%20figure%20out%20why%20it%20pops%20in%20your%20case%20and%20not%20in%20others.%3C%2FP%3E%0A%3CP%3Eby%20default%2C%20when%20you%20define%20the%20gmsa%20account%2C%20it's%20password%20expiry%20policy%20is%201%20month%2C%20but%20you%20can%20change%20it.%20my%20question%20was%20if%20you%20changed%20it%20to%20something%20lower%20than%201%20month...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388538%22%20slang%3D%22en-US%22%3ERe%3A%20Medium%20Alert%20Read-only%20user%20password%20to%20expire%20shortly%20on%20GMSA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388538%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20clear%20statement%20that%20this%20is%20a%20BUG.%20No%20we%20did%20not%20change%20the%20time%20for%20the%20password%20change%20policy%20on%20the%20GMSA%20Account.%20Should%20we%20do%20any%20configuration%20on%20the%20GMSA%20account%20to%20bypass%20the%20alert%3F%20Please%20let%20me%20know.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%20Steve%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388657%22%20slang%3D%22en-US%22%3ERe%3A%20Medium%20Alert%20Read-only%20user%20password%20to%20expire%20shortly%20on%20GMSA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388657%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F587969%22%20target%3D%22_blank%22%3E%40jazzer%3C%2FA%3E%26nbsp%3BMy%20suggestion%20is%20not%20to%20mess%20with%20it%20until%20we%20manage%20to%20fix%20it.%20given%20that%20you%20didn't%20change%20anything%20from%20default%2C%20I%20would%20suggest%20to%20leave%20it%20as%20is%20and%20ignore%20it%20for%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1788231%22%20slang%3D%22en-US%22%3ERe%3A%20Medium%20Alert%20Read-only%20user%20password%20to%20expire%20shortly%20on%20GMSA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1788231%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EI%20have%20the%20same%20problem%2C%20sensor%20version%26nbsp%3B%3CSPAN%20class%3D%22%22%3E2.128.8744.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20bug%20is%20still%20not%20fixed%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EMike%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1790700%22%20slang%3D%22en-US%22%3ERe%3A%20Medium%20Alert%20Read-only%20user%20password%20to%20expire%20shortly%20on%20GMSA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1790700%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F227410%22%20target%3D%22_blank%22%3E%40Michele%20D'Angelantonio%3C%2FA%3E%26nbsp%3BSadly%20no%2C%20it's%20prioritized%20low%20as%20it's%20not%20causing%20any%20real%20issues%20on%20detection.%3C%2FP%3E%0A%3CP%3Eyou%20can%20just%20ignore%20those%20alert%20for%20gmsa%20accounts%20until%20we%20fix%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi Azure ATP Team,

my Azure ATP is configured runs with a Group Managed Service Account to read the ADDS. Why ATP Alert my abount "Read-only user password to expire shortly" by a GMSA?

 

Kind Regards

Steve 

9 Replies
Highlighted

Hi @jazzer 

 

Are you still seeing the health alert on the gMSA? 

 

Are the sensors still working? 

 

Thanks

Gershon [MSFT]

Highlighted

Hi @Gerson Levitz

 

Yes the Alert is still active and the Sensors are still working. I want the system to manage the password. I don't want to have to set the gmsa to Password never expiere!

 

The Medium Alert is:

A health issue occurred in contoso

The password for the read-only user, contoso.com\gmsa-ATPSensor$, expires on 5/29/2020 6:58:43 AM UTC. The read-only user is used by the Sensor services to perform LDAP queries against the domain controllers in the environment. If the password expires, the system will stop functioning as expected.

 

 

Highlighted

@jazzer What is the password expiry policy for this account/domain ?

The default for gmsa is to roll passwords once a month. any chance you changed it to something lower?

Highlighted

HIi @Eli Ofek

 

what you mean by "changed it to something lower".  The purpose of a gmsa is that the system manages and changes the password, like a computer account. In what intervals the system changes the password should be left to the system. If we can already use a gmsa account in ATP, it should also be able to handle it and do not alert my about a password expiration.

 

The Password Policy is like:

Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30 

Highlighted
Best Response confirmed by jazzer (New Contributor)
Solution

The fact that we even alert on gmsa accounts is a bug, you don't have anything to do in that regards...

There is no question about it..

 

I asked because I am trying to figure out why it pops in your case and not in others.

by default, when you define the gmsa account, it's password expiry policy is 1 month, but you can change it. my question was if you changed it to something lower than 1 month...

Highlighted

Hi @Eli Ofek 

Thanks for your clear statement that this is a BUG. No we did not change the time for the password change policy on the GMSA Account. Should we do any configuration on the GMSA account to bypass the alert? Please let me know.

 

Regards Steve

Highlighted

@jazzer My suggestion is not to mess with it until we manage to fix it. given that you didn't change anything from default, I would suggest to leave it as is and ignore it for now.

Highlighted

hi @Eli Ofek,

I have the same problem, sensor version 2.128.8744.

The bug is still not fixed?

Thanks

Mike 

Highlighted

@Michele D'Angelantonio Sadly no, it's prioritized low as it's not causing any real issues on detection.

you can just ignore those alert for gmsa accounts until we fix it.