Preparing the Active Directory Forest

This article assumes prior knowledge of the requirements and limitations of using gMSAs and that you have prepared the Forest by creating the required KDS Root Key.

If you haven’t the cmdlet is below for convenience, but please refer to the Microsoft post for more information.1

Add-KDSRootKey -EffectiveImmediately

Creating a Group Managed Service Account

This article also assumes prior knowledge of how to create a gMSA. Please refer to the aforementioned Microsoft post for more information.2

Again, I have included the cmdlet to create a gMSA in the interests of convenience.

New-ADServiceAccount -Name [gmsaName] -DNSHostName [FQDN] -PrincipalsAllowedToRetrieveManagedPassword [Group/ADAccount]

Creating a Scheduled Task

There are two options for creating a scheduled task.

  1. Create the scheduled task with the gMSA in powershell; or
  2. Create the task with a temporary account in the GUI and add the gMSA afterwords with powershell

If you elect to use the first option, complete the steps in this section. If you choose the second, skip to ‘Modifying an existing Scheduled Task’ section.

First, a Task Action, Trigger and Task Principal needs to be defined before the creation of a Scheduled Task.

$act = New-ScheduledTaskAction "C:\ExampleScript.ps1"
$trigg = New-ScheduledTaskTrigger -At 00:00 -Daily
$princ = New-ScheduledTaskPrincipal -UserID [DOMAIN\gmsaName]$ -LogonType Password

Tip

‘Password’ Is the literal word and NOT an actual password.

Note

Using Password as the argument for the LogonType parameter instructs the task to retrieve the password from Active Directory.

To create the Scheduled Task simply use the previously defined variables for the corresponding parameter:

Register-ScheduledTask [taskName] –Action $act –Trigger $trigg –Principal $princ

The scheduled task is now created and ready to go, however one must make sure that the gMSA has the relevant permissions to perform the requested tasks.

Info

If the task executes a script, the gMSA needs to be granted Log on as batch job rights.

Modifying an existing Scheduled Task

This section will demonstrate how to modify an existing Scheduled task regardless if created with the GUI or Powershell.

The first step is to get the existing Task name, if you already know it you can skip this step; if you don’t you can use the Get-ScheduledTask cmdlet: 

Get-ScheduledTask

The next step is to define the TaskPrincipal: 

$pric = New-ScheduledTaskPrincipal -UserId [DOMAIN\gmsaName]$ -LogonType Password

Tip

‘Password’ Is the literal word and NOT an actual password.

Note

Using Password as the argument for the LogonType parameter instructs the task to retrieve the password from Active Directory.

Once the TaskPrincipal is defined the task can be modified using the Set-ScheduledTask cmdlet 

Set-ScheduledTask -TaskName [TaskName] -Principal $pric

The scheduled task has now been modified to use the gMSA, however one must make sure that the gMSA has the relevant permissions to perform the requested tasks.

Info

If the task executes a script, the gMSA needs to be granted Log on as batch job rights.

  1. Doug Symalla, ‘Windows Server 2012: Group Managed Service Accounts’ (TechNet Blogs, 16 December 2012) <https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-server-2012-group-managed-service-accounts/ba-p/255910> accessed 21 April 2017 (link updated 2 August 2020). ↩︎

  2. ibid. ↩︎