I am currently reviewing my work's default domain controller policy GPO against the MS Security Compliance Manager, and one of the things I have found is that there are many things that have user rights assignments that do not appear in the compliance baseline. Many of this things look to be machine accounts such as:
- DOMAIN\IWAM_[Server-Name]
- DOMAIN\SQLServer2005MSSQLUser$ [Server-Name] $MICROSOFT##SSEE
- DOMAIN\IUSR_[Server-Name]
Should I be following the compliance manager's advice and removing them, or trust that windows knows what it is doing and leave them alone?