Summary: This article explains how to protect the Cayosft Administrator Service account enabling the "Account is sensitive and cannot be delegated" setting or restricting the service account logon to specific computers.
Applies to: Cayosoft Administrator 8.4.0 and later.
ID: KB20220126-1
Content:
Overview
There are two options to protect the Cayosft Administrator Service account. You can use any of these:
- Enable the "Account is sensitive and cannot be delegated" setting
- Or restrict the service account logon to specific computers.
According to Microsoft documentation accounts for services and computers should never be members of the "Protected Users" group. This group provides incomplete protection because the password or certificate is always available on the host. Authentication will fail with the error "the user name or password is incorrect" for any service or computer that is added to the Protected Users group. So this option is not suitable for the Cayosoft Administrator Service account.
As for Group Managed Service Accounts (GMSA), although GMSA can be used as a service account, it cannot be used as an account for the creation of PowerShell sessions.
You can bypass using credentials in the Active Directory connection account by leaving credentials on the Active Directory extension empty, but you still need a privileged AD user account for Exchange extension and replication configuration (in case you have a replication group). So using a GMSA just gives the creation of an extra account, instead of replacing the manually managed user account.
How to enable the "Account is sensitive and cannot be delegated" setting
- In Active Directory Users and Computers (ADUC) open properties of the service account.
- Click the Account tab.
- In the Account options section navigate to the "Account is sensitive and cannot be delegated" setting and check it.
- Save changes.
How to restrict the service account logon to specific computers
- In Active Directory Users and Computers (ADUC) open properties of the service account.
- Click the Account tab.
- Click Log On To.
- On the Logon Workstations form add the names of the computers a service account can log on to.
- Save changes.
Comments
0 comments
Please sign in to leave a comment.