You may investigate this in your environment by running a PowerShell script that you may find in
Test-GMSA.zip attached to this KB.
1- Edit this script and replace
GMSA_HERE with the name of the GMSA account shown in the discovery error.
2- Save changes and run the script.
3- Look for
GMSA_TEST-output.txt which will be stored in the same directory in which you placed the script.
Scroll to the bottom of the output file to see if you see an error like for example:
TerminatingError(Get-ADObject): "Cannot find an object with identity: 'SID Number Here' ".
If you see one SID or a list of SIDs, then you may investigate further to confirm if those SIDs are in fact orphaned or not running
Get-ADObject -Identity "SID HERE" like for example:
This will help determining if the SIDs found on "
msDS-GroupMSAMembership" are orphaned or not. You may clean orphaned SID in your environment, or simply add this error to the suppression list by clicking "Add Suppression" on the upper side of the error screen:
By doing this, the error related to the SID or SIDs of the GMSA members are added to the suppression list, so next time if you run an AD discovery and ER detects the same SID members for the same GMSA it will ignore them and proceeds to complete the discovery without reporting this error.