I am currently reviewing my work's default domain controller policy GPO against the MS Security Compliance Manager, and one of the things I have found is that there are many things that have user rights assignments that do not appear in the compliance baseline. Many of this things look to be machine accounts such as:
- DOMAIN\IWAM_[Server-Name]
- DOMAIN\SQLServer2005MSSQLUser$ [Server-Name] $MICROSOFT##SSEE
- DOMAIN\IUSR_[Server-Name]
Should I be following the compliance manager's advice and removing them, or trust that windows knows what it is doing and leave them alone?
Alternatively, Ben knows what the accounts are used for, but made a decision not to list that information under the assumption that everyone here would know that, and spending the time to list those things out was pointless.
"move them to new servers (except for DNS, of course)"
Why "of course"? Yes, DNS can sit on your domain controllers, but it doesn't have to, and there are environments where it makes sense to have them separate (and sometimes not even on Windows).
I would agree that, in general, things like SQL Embedded, IIS, etc don't belong on domain controllers as a matter of best practice, but there may be site-specific reasons for them to be there.
The simplest answer to Ben's question is to actually answer the question he's asked, rather than assuming a whole bunch of things that may or may not be true or relevant in his particular circumstance, and issuing edicts to take actions that may actually make issues for him worse, rather than better.
Those are well-known system accounts for well known services (IIS and SQL), and it's pretty concerning that your first thought was to ask about removing them, instead of finding out what they're used for in your environment.
Here's a decent answer on the use of ISUR and IWAM by IIS, and the SQL account... who knows. SSEE stands for SQL Server Embedded Edition, and I've seen this around some basic SharePoint installs, so that could be what it is, or it could be something else. (SharePoint would account for both IIS and SQL, for what it's worth... though SharePoint on a Domain Controller, is just gross.)
However, either way, the important thing here is you not start messing with stuff without having some idea about what it is and what it does. Think of your server like a car. You opened up the hood based on a document about changing your oil and saw three things that are unfamiliar to you. Are you just going to yank them out and see what happens/hope for the best?
What you really ought to do is figure out what all services are running on your domain controllers, move them to new servers (except for DNS, of course), and once you've finished that and verified that these accounts are no longer being accessed, then you can safely remove them from your domain controllers.