locked
Enterprise Key Admins Group and ADFS Service Account RRS feed

  • Question

  • I recently upgraded a Windows Server 2012 R2 ADFS farm to Windows Server 2016. After executing the Invoke-ADFSFarmBehaviorLevelRaise cmdlet to raise the FBL the following warning appears:

    The message appears since the Enterprise Key Admins group does not exist as I didn't have Windows Server 2016 domain controllers at that time. I do have now but my question is - is there any problem or a potential for a problem in the future if the ADFS service account is not added to this group? I read the following article about great privileges that are granted to this group and I am not sure that the ADFS service account needs so much privileges. Can I go without adding the service account (in my case it is a gMSA) to the group? 

    Wednesday, October 25, 2017 8:17 PM

Answers

  • Yes, but you will not be able to use all the Windows Hello for Business deployment options. If that is not in your roadmap yet, them just ignore it and deal with it when you will want to use WH4B.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, October 25, 2017 10:27 PM

All replies

  • Yes, but you will not be able to use all the Windows Hello for Business deployment options. If that is not in your roadmap yet, them just ignore it and deal with it when you will want to use WH4B.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, October 25, 2017 10:27 PM
  • Is there a way to create that Global Group Manually?
    Wednesday, May 30, 2018 9:32 PM
  • Daniel Ulrichs points out at https://secureidentity.se/adprep-bug-in-windows-server-2016 that adding a Windows Server 2016 DC and moving the FSMO role PDC Emulator to that DC creates the Key Admins and Enterprise Key Admins groups.  I didn't find that information anywhere within the Microsoft documentation.

    Thursday, July 5, 2018 9:44 PM