2

Our Active Directory Domain contains two Managed Service Accounts, MediaAdmin and ServerAdmin:

screenshot

I don't remember adding them, and Google tells me that they are related to the Windows Server Essentials role. Their HostComputers attribute is an empty list, and the last logon timestamp is from over four years ago. This could be the time when we stopped using the Server Essentials features:

PS> Get-ADServiceAccount -Filter * -Properties lastLogonTimestamp | select name,HostComputers,{[DateTime]::fromFileTime($_.lastLogonTimestamp)}

name        HostComputers [DateTime]::fromFileTime($_.lastLogonTimestamp)
----        ------------- -----------------------------------------------
ServerAdmin {}            19.02.2018 15:19:43
MediaAdmin  {}            19.02.2018 15:19:44

The fact that ServerAdmin is in the Domain Admins group makes me a bit uncomfortable. Is it safe (and/or maybe even recommended) to remove those MSAs? As mentioned above, we don't use the Essentials role any more in our domain.

Heinzi
  • 2,138
  • 5
  • 30
  • 51
  • I think this should be tested, but if I had an account in Domain Admins and I didn't know what it was for or didn't think it was necessary I would remove it. Usually these "evictions" occur after something bad has happened, it's good to see people proactively doing this. :-) – Greg Askew Sep 23 '22 at 20:12

0 Answers0