After Action Account is configured for Defender for Identity an issue occur when any actions is performed that will execute tasks in on-premise Active Directory. For example if I try to disable an account I just get an error:
“There was no manage action account configured for the target user’s domain. For more information, see manage action accounts”
I open the tri sensor log found on the server where you installed the sensor in path C:\Program Files\Azure Advanced Threat Protection Sensor\Vers.Number\Logs. Here I can see an issue that is related:
“Warn DirectoryServicesResolver CreateSecurityPrincipalAsync Found Computer with gMSA attribute [SecurityPrincipalId=9a6f8cd4-d968-4afb-9c18-XXXXXXXXX SamName=mdiSvcActiXXXX$ groupMsaMembership=Unknown]
From this message we can guess that there is an issue with the membership of that gMSA account. To look deeper into this problem I started PowerShell on my Domain Contoller where also the sensor is installed.
Get-ADServiceAccount mdisvcactiXXXX -Properties PrincipalsAllowedToRetrieveManagedPasswordFrom the output I can see that there is no group assigned to the gMSA account. To also confirm the issue you can run:
Test-ADServiceAccount mdiSvcActiXXXX
Install-ADServiceAccount mdiSvcAction01First command gives you information that the account is linked to another computer object. The second command gives you insufficient rights.
To solve this we need to give domain controllers rights to use the gMSA account. Follow these steps to fix the issue:
- Stop ATP services sensor and sensor updates
- From PowerShell run: Set-ADServiceAccount -Identity mdiSvcActiXXXX -PrincipalsAllowedToRetrieveManagedPassword ‘CN=Domain Controllers,CN=Users,DC=YourDomain’
- From PowerShell run: Install-ADServiceAccount mdiSvcActiXXXX
- Start services again
- Now you can run the tests again you performed prior to the fix. The errors should now be gone.
Now you can test from security.microsoft.com portal again to perform an action like for example “Disable account”.
Microsoft 365 Tech blog 