pingcastle icon indicating copy to clipboard operation
pingcastle copied to clipboard
verified publisher icon vletoux

AZUREADSSOACC reported in multiple issues

Open RobinMJD opened this issue 2 years ago • 4 comments

Hello, Is it normal to have the AZUREADSSOACC account reported in the following issues or are these false positives? S-DC-NotUpdated (Domain controller update) S-DCRegistration (Check if all DC are well registered) S-DC-Inactive (Check if all DC are active)

This AD object is created by Azure AD Connect and used for Azure Active Directory Seamless Single Sign-On.

Thanks in advance.

RobinMJD avatar Jun 14 '23 12:06 RobinMJD

Hi @RobinMJD, Could you figure out what Problem you had? Did you use at least Version 3.0.0.4? I can't reproduce your problem. AZUREADSSOACC doesn't make false positives for me. Does your AD object have:

  • a lastlogontimestamp
  • have a group membership other than default domain computers
  • primary group membership other than "domaincomputer" (id 515)
  • reside in a special OU
  • have a special useraccountcontol value (suggested 4096 or 69632)
  • the "OperatingSystem", "OperatingSystemVersion" are empty

An-dir avatar Aug 01 '23 14:08 An-dir

Hello, I do happen to have the exact same case here.

  • Lastlogontimestemp seems to be absent
  • only member of Domain Computers (which is its primary group)
  • resides in OU "Domain Controllers"
  • useraccountcontrol is 0x11000 (WORKSTATION_TRUST_ACCOUNT, DONT_EXPIRE_PASSWD)
  • OperatingSystem and OperatingSystemVersion are both empty
  • password is changed automatically (last change 1st of September 2023)
  • servicePrincipalName seems to contain a bunch of HTTP and RestrictedKrbHost principals related to the following Microsoft FQDNs: ( aadg.windows.net.nsatc.net, autologon.microsoftazuread-sso.com, autologon.prda.aadg.msidentity.com, www.tm.a.prd.aadg.akadns.net, www.tm.a.prd.aadg.trafficmanager.net)

In addition, there does not seem to be a special GUID in the CN and it seems to be related to Azure Active Directory Seamless Single Sign-On

The object is matching the S-DCRegistration (Check if all DC are well registered) and S-DC-Inactive (Check if all DC are active) rules only (not the Domain Controller Update)

It would help greatly if it could be correctly excluded from the checks !

Thanks for your attention,

testman57 avatar Sep 18 '23 12:09 testman57

Why do you have it in the "Domain Controllers" OU? This is the reason for the "false positives"

An-dir avatar Mar 13 '24 15:03 An-dir