search

netwrix / pingcastle

PingCastle - Get Active Directory Security at 80% in 20% of the time
https://www.pingcastle.com
Other
2.35k stars 292 forks source link

P-ProtectedUsers and MSA/gMSA #215

Closed florentflo91 closed 9 months ago

florentflo91 commented 9 months ago

Hello we have a gMSA service account in P-ProtectedUsers rule, is it normal ? (it's a service account used for Azure AAD Connect)

An-dir commented 9 months ago

The class "msDS-GroupManagedServiceAccount" seems to be excluded in next pingcastle release :( You could test the beta, BUT you should not have gMSA with "Domain Admin" permissions, and you will not be able to use them for Entra ID Connect anymore by default.

Beginning in build 1.4.###.#, you no longer can use an Enterprise Administrator account or a Domain Administrator account as the AD DS Connector account. If you attempt to enter an account that is an Enterprise Administrator or Domain Administrator for Use existing account, the wizard displays an error message and you can't proceed.

Source: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions

florentflo91 commented 9 months ago

Ok thank, you very much for your response.