GPOADmin - Least Privileged Service Account (4377906)

Matthew, a strategic systems consultant at Quest, discusses GPOADmin and least privileged delegation in a video. GPOADmin operates as a proxy solution, using a service account to perform operations on Active Directory without needing direct permissions. He emphasizes the importance of protecting the GPOADmin service account due to its significant permissions over Group Policy Objects (GPOs), which can be exploited as an attack vector.  Matthew explains the necessary permissions for GPOADmin in Active Directory, including delegating rights through the Group Policy Management Console and using group managed service accounts (GMSAs). He outlines the permissions required for WMI filters, service connection points, and the need for service principal names (SPNs) registration, which varies depending on whether a GMSA or a normal service account is used.  He also notes that GPOADmin does not automatically gain control over existing GPOs, requiring manual permission adjustments. The video concludes with a reminder of the importance of managing permissions carefully to maintain security and functionality within Active Directory.