As @PickleRick also said, this depends which kind of access you have in your ad environment. If I have understood right (I’m not a windows guru), it’s best practices to deny additional access from system local to ad environment. There are other roles defined for managing ad. I suppose that there are too many ad environments where these hardenings haven’t implemented.  I said that in security point of view it’s much better to use MSA than modify your current GPO to allow access to your system local account.  You should find from even logs that there are some denied attempts to access it, when you are using domain admin (or similar) role. ... View more