NEW Changing AD Account

[SouthernIT]

When our SCCM install was first configured, it was set to use the default administrator AD account. I'm wanting to divorce ourselves from this obvious security issue. I've gone through and changed the network access account and client push accounts, but I'm still seeing the administrator user pop up in my Defender for Endpoint activity logs on our Windows endpoints. I'm hoping you guys can point me in the direction of what I've missed - thanks!

Resource access: device SCCMSERVER, property Spns cifs/SCCMSERVER.domain.local
Resource access: property Spns krbtgt/DOMAIN.LOCAL, user krbtgt

Both of these entries are being reported by our Windows endpoints on a regular basis.

 

[Garth]

it was set to use the default administrator AD account. I'm wanting to divorce ourselves from this obvious security issue.

You will have to give more details as to what you mean by this?

 

[SouthernIT]

When our SCCM install was first configured, the default "administrator" account was used for practically the entire SCCM setup (NAA, etc). Ultimately, we're trying to disable that account for security purposes. We've gone through and changed all of the accounts that SCCM uses to the best of our knowledge, but we're still seeing those above entries in our defender logs attached to that administrator user, so we'd like to figure out what we missed before we disable it.

 

[Garth]

Exactly what accounts or services have you changed? ConfigMgr, use the local system account for just about everything. so..