MSAs

The MSAs page provides a list of enumerated managed service accounts in entire Acitve Directory. The list contains the Enabled, Privileged, Admin, Local Admin, Session, Risk Score Exposure Point and Issue Counts.

Managed Service Account Details

Details page contains the Risk Score of the managed service account,Exposure Point, Information, and Issues panes.

You can analyze objects in the Graph module by clicking the Visualize button on the upper left side of the Information Pane.

Information

Information Pane can contain different badges to highlight important attributes.

Badge

Description

Sensitive

Indicates that the object is marked as not delegated or a member of the Protected Users group.

Privileged

Indicates that the object is Privileged.

Admin

Indicates that the object is Admin.

Local Admin

Indicates that the object is a member (direct or nested) of a local administrators group in at least one computer.

Enabled

Indicates that the object is enabled.

Disabled

Indicates that the object is disabled.

Information Pane contains Details, Groups, Sessions, SPNs, and Local Memberships tabs respectively.

Details

Details tab contains attributes below about managed service account object.

SAM AccountName: The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. (Ldap Display Name: sAMAccountName)

Attribute

Description

Distinguished Name

Active Directory distinguished name of the object. (Ldap Display Name

Object Category

An object class name used to group objects of this or derived classes. (Ldap Display Name: objectCategory)

Object Sid

Active Directory security identifier of object. (Ldap Display Name

Created Time

The date when this object was created. (Ldap Display Name: whenCreated)

Last Changed Time

The date when this object was last changed. (Ldap Display Name: whenChanged)

Host Service Account

Indicates the server that managed service account was installed on.

Name

Name of the specified object. (Ldap Display Name: name)

Bad Password Count

The number of times the user tried to log on to the account using an incorrect password. (Ldap Display Name: badPwdCount)

Primary Group ID

Contains the relative identifier (RID) for the primary group of the object. By default, this is the RID for the Domain Computers group for managed service accounts.

Admin Count

Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively). (Ldap Display Name: adminCount)

Logon Count

The number of times the account has successfully logged on. This attribute is not replicated to other Domain Controllers. (Ldap Display Name: logonCount)

Constrained Delegation

Indicates whether the Constrained Delegation is active or not.

Parent OU

The direct parent Organizational Unit of the object.

Groups

Groups tab contains a list of groups that the managed service account is a member of. This list also contains Privileged and Admin columns to identify the privilege levels of these groups.

Sessions

Sessions tab contains a list of computers that the managed service account has a session on. This list also contains IP Address, and Privileged columns to identify the network address and privilege levels of these computers.

SPNs

SPNs tab contains a list of Service Principal Names that are defined on the managed service account object.

Local Memberships

Local Memberships tab contains a list of local groups that the managed service account is a member of.

Local Group Name: Name of the local group that the user is a member of.

Computer: Name of the computer object that contains the local group.

Exec DCOM: Indicates whether the local group can have enough privilege to execute commands with DCOM(Distributed Component Object Model) protocol on the computer.

Exec PWSH: Indicates whether the local group can have enough privilege to execute commands with Powershell on the computer.

RDP: Indicates whether the local group can have enough privilege to connect with RDP (Remote Desktop Protocol) to the computer.

Admin: Indicates whether the local group can have admin privilege on the computer.

Issues

Issues pane contains identified issues on the managed service account object.

PreviousOUs NextGMSAs

Last updated 2 months ago

Was this helpful?

Information

Information Pane can contain different badges to highlight important attributes.

Badge

Description

Sensitive

Indicates that the object is marked as not delegated or a member of the Protected Users group.

Privileged

Indicates that the object is Privileged.

Admin

Indicates that the object is Admin.

Local Admin

Indicates that the object is a member (direct or nested) of a local administrators group in at least one computer.

Enabled

Indicates that the object is enabled.

Disabled

Indicates that the object is disabled.

Information Pane contains Details, Groups, Sessions, SPNs, and Local Memberships tabs respectively.

Details

Details tab contains attributes below about managed service account object.

Attribute

Description

Distinguished Name

Active Directory distinguished name of the object. (Ldap Display Name

Object Category

An object class name used to group objects of this or derived classes. (Ldap Display Name: objectCategory)

Object Sid

Active Directory security identifier of object. (Ldap Display Name

Created Time

The date when this object was created. (Ldap Display Name: whenCreated)

Last Changed Time

The date when this object was last changed. (Ldap Display Name: whenChanged)

Host Service Account

Indicates the server that managed service account was installed on.

Name

Name of the specified object. (Ldap Display Name: name)

Bad Password Count

The number of times the user tried to log on to the account using an incorrect password. (Ldap Display Name: badPwdCount)

Primary Group ID

Contains the relative identifier (RID) for the primary group of the object. By default, this is the RID for the Domain Computers group for managed service accounts.

Admin Count

Logon Count

The number of times the account has successfully logged on. This attribute is not replicated to other Domain Controllers. (Ldap Display Name: logonCount)

Constrained Delegation

Indicates whether the Constrained Delegation is active or not.

Parent OU

The direct parent Organizational Unit of the object.

Local Memberships

Local Memberships tab contains a list of local groups that the managed service account is a member of.

Local Group Name: Name of the local group that the user is a member of.

Computer: Name of the computer object that contains the local group.

Exec DCOM: Indicates whether the local group can have enough privilege to execute commands with DCOM(Distributed Component Object Model) protocol on the computer.

Exec PWSH: Indicates whether the local group can have enough privilege to execute commands with Powershell on the computer.

RDP: Indicates whether the local group can have enough privilege to connect with RDP (Remote Desktop Protocol) to the computer.

Admin: Indicates whether the local group can have admin privilege on the computer.