Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AZUREADSSOACC reported in multiple issues #186

Open
RobinMJD opened this issue Jun 14, 2023 · 3 comments
Open

AZUREADSSOACC reported in multiple issues #186

RobinMJD opened this issue Jun 14, 2023 · 3 comments

Comments

@RobinMJD
Copy link

RobinMJD commented Jun 14, 2023
edited

Hello,
Is it normal to have the AZUREADSSOACC account reported in the following issues or are these false positives?
S-DC-NotUpdated (Domain controller update)
S-DCRegistration (Check if all DC are well registered)
S-DC-Inactive (Check if all DC are active)

This AD object is created by Azure AD Connect and used for Azure Active Directory Seamless Single Sign-On.

Thanks in advance.
@An-dir
Copy link

An-dir commented Aug 1, 2023
edited

Hi @RobinMJD,
Could you figure out what Problem you had? Did you use at least Version 3.0.0.4?
I can't reproduce your problem. AZUREADSSOACC doesn't make false positives for me.
Does your AD object have:

  • a lastlogontimestamp
  • have a group membership other than default domain computers
  • primary group membership other than "domaincomputer" (id 515)
  • reside in a special OU
  • have a special useraccountcontol value (suggested 4096 or 69632)
  • the "OperatingSystem", "OperatingSystemVersion" are empty

@testman57
Copy link

Hello,
I do happen to have the exact same case here.

  • Lastlogontimestemp seems to be absent
  • only member of Domain Computers (which is its primary group)
  • resides in OU "Domain Controllers"
  • useraccountcontrol is 0x11000 (WORKSTATION_TRUST_ACCOUNT, DONT_EXPIRE_PASSWD)
  • OperatingSystem and OperatingSystemVersion are both empty
  • password is changed automatically (last change 1st of September 2023)
  • servicePrincipalName seems to contain a bunch of HTTP and RestrictedKrbHost principals related to the following Microsoft FQDNs:
    ( aadg.windows.net.nsatc.net, autologon.microsoftazuread-sso.com, autologon.prda.aadg.msidentity.com, www.tm.a.prd.aadg.akadns.net, www.tm.a.prd.aadg.trafficmanager.net)

In addition, there does not seem to be a special GUID in the CN and it seems to be related to Azure Active Directory Seamless Single Sign-On

The object is matching the S-DCRegistration (Check if all DC are well registered) and S-DC-Inactive (Check if all DC are active) rules only (not the Domain Controller Update)

It would help greatly if it could be correctly excluded from the checks !

Thanks for your attention,

@An-dir
Copy link

An-dir commented Mar 13, 2024

Why do you have it in the "Domain Controllers" OU? This is the reason for the "false positives"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RobinMJD @An-dir @testman57