2

Let's say I have remote access to a server which uses MSA's to run application pools and windows services. Can I as a normal (not elevated) user run program's under those MSA's?

For example

PsExec.exe -u domain\MsaAccount$ cmd.exe

I would say no, but I need to make sure. It's not that I don't know that they can be used to run stuff like services. I just don't want users without elevated rights to use them to do stuff they aren't allowed to.

Martijn B
  • 121
  • 3
  • MSA or gMSA? Because MSA's don't exist in a domain, only gMSA's do. – Daniel Sep 14 '17 at 12:39
  • @Daniel the question is about both. – Martijn B Sep 14 '17 at 12:41
  • Oh, okay, I was confused about the "domain" part. – Daniel Sep 14 '17 at 12:42
  • You can certainly run scripts as a MSA. This might help you find a way doing it with programs, too: https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/ – Daniel Sep 14 '17 at 12:42
  • @Daniel MSA's are stored in AD under CN=Managed Service Accounts, DC=, DC=. It's not that I don't know that they can be used to run stuff like services. I just don't want users without elevated rights to use them to do stuff they aren't allowed to. – Martijn B Sep 14 '17 at 13:07
  • 1
    Possible duplicate of [Run command with a Managed Service Account?](https://serverfault.com/questions/736651/run-command-with-a-managed-service-account) – yagmoth555 Sep 15 '17 at 10:58
  • Hi, I flagged as a duplicate because the answer is a good's one for you, as yes it can be run, and no need for the account password to run it.. – yagmoth555 Sep 15 '17 at 11:02
  • The answer of the other question doesn't state if it's possible to run it as a non elevated account. – Martijn B Sep 21 '17 at 10:52

0 Answers0