Our Active Directory Domain contains two Managed Service Accounts, MediaAdmin
and ServerAdmin
:
I don't remember adding them, and Google tells me that they are related to the Windows Server Essentials role. Their HostComputers attribute is an empty list, and the last logon timestamp is from over four years ago. This could be the time when we stopped using the Server Essentials features:
PS> Get-ADServiceAccount -Filter * -Properties lastLogonTimestamp | select name,HostComputers,{[DateTime]::fromFileTime($_.lastLogonTimestamp)}
name HostComputers [DateTime]::fromFileTime($_.lastLogonTimestamp)
---- ------------- -----------------------------------------------
ServerAdmin {} 19.02.2018 15:19:43
MediaAdmin {} 19.02.2018 15:19:44
The fact that ServerAdmin is in the Domain Admins group makes me a bit uncomfortable. Is it safe (and/or maybe even recommended) to remove those MSAs? As mentioned above, we don't use the Essentials role any more in our domain.