Group Managed Service accounts and NETLOGON errors

whatwaht · ‎Jul 01 2020

Hi,

We have Group Managed Service accounts set up to run some services and scheduled tasks. They have permissions on various resources.

i.e. one runs a scheduled task that runs a powershell script that runs the backups on an SQL server so has permissions on the SQL Server (Windows Authentication), another that has security permissions on file server shares etc.

They are all working perfectly fine... however.

I have noted these errors on the domain controller:

Error 5723
The session setup from computer 'MSAAccount' failed because the security database does not contain a trust account 'MSAAccount$' referenced by the specified computer.

Error 5805
The session setup from the computer MSAAccount failed to authenticate. The following error occurred:
Access is denied.

Can anyone advise what may be causing the errors? The accounts are working fine and can still access the resources they need. I thought they may be related to the domain trying to change the password for the accounts but am unsure.

thanks

j

whatwaht · ‎Jul 06 2020

RIGHT! So ignore most of that!

The GMSA account in question is an old account that was uninstalled. Seems something somewhere is still trying to use it. I'm not sure how to go about finding the device using it though.

If I run get-adserviceaccount -Identity MSAAccount it cannot find the object.

Any thoughts?

cheers

EDIT:

I've run Uninstall-ADServiceAccount -Identity MSAAccount -ForceRemoveLocal on the servers I think may have used the GMSA. They only returned an error saying it didn't exist in the directory. Still getting the error.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Group Managed Service accounts and NETLOGON errors

Group Managed Service accounts and NETLOGON errors

Re: Group Managed Service accounts and NETLOGON errors