Cannot Start Azure ATP or Defender for Identity Services when using gMSA

Description:

You are deploying Azure Advanced Threat Protection (AATP) or Microsoft Defender for Identity (MDI) in your Multi-Domain Single-Forest IT environment. You plan to use gMSA account for the Defender for Identity services account when communicating to Active Directory. 

You have created a new universal group or domain local group and add all of the Domain Controllers in the Forest to that group. You also have created the gMSA account and configured that group to be able to retrieve password and use the gMSA account.

However when you configure MDI to use the gMSA account, the Sensor Services on the Domain Controllers cannot be start.

Resolution:

Make sure you have Restarted the Domain Controllers that you put inside the new universal or domain local group. After the Domain Controller restart, try to login and notice that Azure ATP Sensor Services will be able to start properly. Delayed start is expected for Azure ATP services.

How to Add NT Service\All Services group to Active Directory User Rights Assignment

Description:

You want to use a group Managed Service Account (gMSA) on multiple domain in your forest. You also have Group Policy that managed the User Rights Assignment setting on Active Directory. You need to add NT Service\All Services to those User Rights Assignment policy.

Resolution:

1. Open up Group Policy Manager, and edit the Group Policy. Example is the “Default Domain Controller Policy” if you want to modify the user Rights Assignment at Domain Controllers.
2. Navigate down to “Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment”
3. Edit the “Log on as a service” properties and ensure the box next to “Define these policy settings:” is ticked. Click “Add User or Group” and manually type “NT SERVICE\ALL SERVICES” (Do Not Click Browse)
4. Click OK twice
5. Close the Group Policy Manager

How to Change ADFS Service Account

Description:

You have existing ADFS running with regular user account. To increase security you want to change the ADFS service account to use group managed service account or gMSA account.

Resolution:

Source of Information: https://github.com/microsoft/adfsToolbox/tree/master/serviceAccountModule

1. Download the ServiceAccount.psm1 module to all of your AD FS servers (primary and secondary)

2. Import the PowerShell Module on all servers

   In a PowerShell window, run the following: ipmo ServiceAccount.psm1

3. For Windows Server 2016 and later, add a rule granting the new service account necessary permissions.

   In a PowerShell window on the primary AD FS server, run the following:

   Add-AdfsServiceAccountRule -ServiceAccount <ServiceAccount> -SecondaryServers <ListOfSecondaryServers>

   Note that <ServiceAccount> should be the service account you want to grant permissions to and can be provided either in the format Domain\User or merely User.

   <ListOfSecondaryServers> should be replaced with a list of secondary servers if the environment is a WID farm so that the configuration database can be synced across all machines.

4. Change the service account on each machine in the farm.

   Beginning with the secondary servers, run the following:

   Update-AdfsServiceAccount

   Once the function has been executed on all secondary servers, proceed to run it on the primary server.

5. If Device Registration Services (DRS) is set up in your AD FS environment, you must also use the Set-AdfsDeviceRegistration cmdlet (an internal command exposed by the service) to add the proper permissions to the new service account.

6. For Windows Server 2016 and later, remove the rule granting permissions to the old service account.

   In a PowerShell window on the primary AD FS server, run the following:

   Remove-AdfsServiceAccountRule -ServiceAccount <ServiceAccount> -SecondaryServers <ListOfSecondaryServers>

   Note that <ServiceAccount> should be the service account you want to revoke permissions for and can be provided either in the format Domain\User or merely User.

   <ListOfSecondaryServers> should be replaced with a list of secondary servers if the environment is a WID farm so that the configuration database can be synced across all machines.