TLDR: BloodHound creates AdminTo edges to service accounts (gMSAs and sMSAs) based on GPO data. gMSAs and sMSAs are not computers, so these edges should not be created.
Description
It is possible to add a domain group to the Administrators group of a domain-joined computer through a GPO using Group Policy Preferences:
This will make BloodHound create an AdminTo edge from the given group (Domain Users in this example) to the computers which this GPO is linked to.
However, it appears that AdminTo edges are also created to gMSAs and sMSAs:
JonasBK
commented
1 year ago
TLDR: BloodHound creates AdminTo edges to service accounts (gMSAs and sMSAs) based on GPO data. gMSAs and sMSAs are not computers, so these edges should not be created.
Description It is possible to add a domain group to the Administrators group of a domain-joined computer through a GPO using Group Policy Preferences:
This will make BloodHound create an AdminTo edge from the given group (Domain Users in this example) to the computers which this GPO is linked to.
However, it appears that AdminTo edges are also created to gMSAs and sMSAs:
I assume it has something to do with the fact that the msDS-GroupManagedServiceAccount and msDS-ManagedServiceAccount are subclasses of the Computer LDAP class.