RonKyle (8/29/2016)
But, you say, I'd know which services were using that account, so it shouldn't matter, right?
Actually, I wouldn't have said that. I agree that is a downside to the Managed Service Accounts. But the folder to which the machine account has access doesn't contain particularly sensitive information. It will be interesting to see if MS takes the accounts a little further. Still, there is a huge upside to having accounts that are impossible to use as login account and don't require password maintenance.
Sorry, I wasn't trying to imply that would be something you would or would not say, I tend to write sometimes as though I'm having a conversation (often with myself.)
And yes, I do agree that MSAs / gMSAs are a wonderful thing for managing service account passwords. But the paranoiac in me wants to prevent any possible foot in the door and would prefer not to use a machine account for accessing a share.