GroupManagedServiceAccount
| Field | Type | Possible Operators | Description |
|---|---|---|---|
Guid | TEXT |
| A unique identifier that is a combination of GUID of selected |
Name | TEXT |
| Name of the specified object. (Ldap Display Name: name) |
FSName | TEXT |
| A special unique identifier that is a combination of the |
IsEnabled | BOOLEAN |
| Indicates whether the account is enabled. |
HasConstrainedDelegation | BOOLEAN |
| Indicates whether the Constrained Delegation is activated on the object. |
IsStealth | BOOLEAN |
| Indicates that the object can compromise admin objects with at least one attack path. |
LogonCount | NUMBER |
| The number of times the account has successfully logged on. This attribute is not replicated to other Domain Controllers. (Ldap Display Name: logonCount) |
PrimaryGroupID | NUMBER |
| Contains the relative identifier (RID) for the primary group of the object. (Ldap Display Name: primaryGroupID) |
UserAccountControl | NUMBER |
| Flags that control different attributes and behavior of the objects. (Ldap Display Name: userAccountControl) (Field Reference) |
PasswordExpirationDate | DATE |
| The expiration date of the object's password. |
IsSensitive | BOOLEAN |
| Indicates whether the object's NOT_DELEGATED bit of UserAccountControl is set. This attribute is used to disable Kerberos delegations for objects. |
IsUsingDESAlgorithmForHashing | BOOLEAN |
| Indicates whether the object is using an insecure DES algorithm in Kerberos protocol. |
IsAdmin | BOOLEAN |
| Indicates that the object is Admin. |
IsPasswordExpired | BOOLEAN |
| Indicates whether the object's password is expired and should be changed. |
WhenCreated | DATE |
| The date when this object was created. (Ldap Display Name: whenCreated) |
HasResourceBasedConstrainedDelegation | BOOLEAN |
| Indicates whether the Resource Based Constrained Delegation is activated on the object. |
Cn | TEXT |
| The name that represents an object. Used to perform searches. (Ldap Display Name: cn) |
AllowedtoDelegateSpn | TEXT |
| Contains Service Principal Name definitions in the context of Constrained Delegation. (LDAP Display Name: msDS-AllowedToDelegateTo) |
HasUnconstrainedDelegation | BOOLEAN |
| Indicates whether the Unconstrained Delegation is activated on the object. |
session_count | NUMBER |
| Indicates that how many sessions the object has on computers. |
MsDSSupportedEncryptionTypes | NUMBER |
| The encryption algorithms supported by user, computer or trust accounts. The KDC uses this information while generating a service ticket for this account. Services and Computers can automatically update this attribute on their respective accounts in Active Directory, and therefore need write access to this attribute. (LDAP Display Name: msDS-SupportedEncryptionTypes) |
IsProtected | BOOLEAN |
| Indicates that the object is a direct or nested member of the Protected Users group. |
IsPrivileged | BOOLEAN |
| Indicates that the object is Privileged. |
ObjectSid | TEXT |
| Active Directory security identifier of object. (Ldap Display Name: objectSid) |
first_degree_localadmin_count | NUMBER |
| Indicates that the account has explicit local admin privilege on how many computers. |
HasReversibleEncryption | BOOLEAN |
| Indicates whether the object is using reversible encryption instead of hash to keep credentials. |
BadPwdCount | NUMBER |
| The number of times the object tried to log on to the account using an incorrect password. (Ldap Display Name: badPwdCount) |
AdminCount | NUMBER |
| Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively). (Ldap Display Name: adminCount) |
risk | NUMBER |
| The risk score of the object that calculated based on vulnerability counts and severities. |
DistinguishedName | TEXT |
| Active Directory distinguished name of the object. (Ldap Display Name: distinguishedName) |
HasProtocolTransition | BOOLEAN |
| Indicates whether the Constrained Delegation with Protocol transition is activated on the object. |
SidHistory | TEXT |
| Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property. (Ldap Display Name: sIDHistory) |
SAMAccountType | NUMBER |
| Specifies the account type of the security principal objects in Active Directory. (LDAP Display Name: sAMAccountType) (Field Reference) |
DNSHostName | TEXT |
| Full qualified domain name of group managed service account as registered in DNS. (Ldap Display Name: dNSHostName) |
DontReqPreauth | BOOLEAN |
| Indicates whether the Kerberos Pre-Authentication mechanism was disabled for the object. |
MsDSManagedPasswordInterval | NUMBER |
| This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA. (Ldap Display Name: msDS-ManagedPasswordInterval) |
group_delegated_localadmin_count | NUMBER |
| Indicates that the object has group delegated local admin privilege on how many computers. |
IsLocalAdmin | BOOLEAN |
| Indicates that the object is a member (direct or nested) of a local administrators group in at least one computer. |
DontReqPasswd | BOOLEAN |
| Indicates whether the object's password can be blank. |
HasNonExpiringPassword | BOOLEAN |
| Indicates whether the object's password is set to never expire. |
HasLocalService | BOOLEAN |
| Indicates whether the object has managing local services (without SPN). |
SAMAccountName | TEXT |
| The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. (Ldap Display Name: sAMAccountName) |
WhenChanged | DATE |
| The date when this object was last changed. (Ldap Display Name: whenChanged) |
Last updated