The Service Account Problem Has a New Name
I’ve sat through more than one migration where something stopped working and the trace eventually led back to a service account nobody knew was there. In one case it was a Windows scheduled task running as domain admin that hadn’t been touched in years and didn’t have an owner anyone could name. The pattern keeps showing up because migration is the only exercise that forces enumeration of what an application actually depends on, and the dependencies tend to include credentials with more access than anyone remembered granting. Scoping the account down to the permissions it actually needed took longer than anyone wanted to spend on it, but it left the customer with permissions they could justify and revoke if they needed to. ...