# DMSAs
The `DMSAs` page provides a list of enumerated delegated managed service accounts in entire Acitve Directory. The list contains the `Enabled`, `Privileged`, `Admin`, `Local Admin`, `Session`, `Risk Score` `Exposure Point` and `Issue Counts`.
Delegated Managed Service Accounts
### Delegated Managed Service Account Details
Details page contains the `Risk Score` of the delegated managed service account, `Exposure Point`, `Information`, and `Issues` panes.
{% hint style="info" %}
You can analyze objects in the `Graph module` by clicking the `Visualize` button on the upper left side of the `Information Pane`.
{% endhint %}
Delegated Managed Service Account Details
### Information
`Information Pane` can contain different badges to highlight important attributes.
| Badge | Description |
| --------------- | ------------------------------------------------------------------------------------------------------------------ |
| **Sensitive** | Indicates that the object is marked as not delegated or a member of the Protected Users group. |
| **Privileged** | Indicates that the object is Privileged. |
| **Admin** | Indicates that the object is Admin. |
| **Local Admin** | Indicates that the object is a member (direct or nested) of a local administrators group in at least one computer. |
| **Enabled** | Indicates that the object is enabled. |
| **Disabled** | Indicates that the object is disabled. |
`Information Pane` contains `Details`, `Groups`, `Sessions`, `SPNs`, and `Local Memberships` tabs respectively.
### Details
Details tab contains attributes below about delegated managed service account object.
| Attribute | Description |
| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **SAM AccountName** | The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. (**Ldap Display Name**: sAMAccountName) |
| **Distinguished Name** | Active Directory distinguished name of the object. (**Ldap Display Name**: distinguishedName) |
| **Object Category** | An object class name used to group objects of this or derived classes. (**Ldap Display Name**: objectCategory) |
| **Object Sid** | Active Directory security identifier of object. (**Ldap Display Name**: objectSid) |
| **Created Time** | The date when this object was created. (**Ldap Display Name**: whenCreated) |
| **Last Changed Time** | The date when this object was last changed. (**Ldap Display Name**: whenChanged) |
| **Parent OU** | The direct parent Organizational Unit of the object. |
| **Name** | Name of the specified object. (**Ldap Display Name**: name) |
| **Bad Password Count** | The number of times the user tried to log on to the account using an incorrect password. (**Ldap Display Name**: badPwdCount) |
| **Primary Group ID** | Contains the relative identifier (RID) for the primary group of the object. By default, this is the RID for the Domain Computers group for group managed service accounts. |
| **Admin Count** | Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively). (**Ldap Display Name**: adminCount) |
| **Logon Count** | The number of times the account has successfully logged on. This attribute is not replicated to other Domain Controllers. (**Ldap Display Name**: logonCount) |
| **Constrained Delegation** | Indicates whether the Constrained Delegation is active or not. |
| **Preceded Managed Account** | It is the original service account before being delegated to dMSA. |
### Groups
Groups tab contains a list of groups that the delegated managed service account is a member of. This list also contains `Privileged` and `Admin` columns to identify the privilege levels of these groups.
Groups
### Sessions
Sessions tab contains a list of computers that the delegated managed service account has a session on. This list also contains `IP Address`, and `Privileged` columns to identify the network address and privilege levels of these computers.
Sessions
### SPNs
SPNs tab contains a list of `Service Principal Names` that are defined on the delegated managed service account object.
SPNs
### Local Memberships
Local Memberships tab contains a list of local groups that the delegated managed service account is a member of.
Local Memberships
**Local Group Name**: Name of the local group that the user is a member of.
**Computer**: Name of the computer object that contains the local group.
**Exec DCOM**: Indicates whether the local group can have enough privilege to execute commands with DCOM(Distributed Component Object Model) protocol on the computer.
**Exec PWSH**: Indicates whether the local group can have enough privilege to execute commands with Powershell on the computer.
**RDP**: Indicates whether the local group can have enough privilege to connect with RDP (Remote Desktop Protocol) to the computer.
**Admin**: Indicates whether the local group can have admin privilege on the computer.
### Issues
Issues pane contains identified issues on the delegated managed service account object.
Issues
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.forestall.io/fsprotect/ad-identities/dmsas.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.