Reputation: 533
Start PowerShell As A Group Managed Service Account
How do I start PowerShell with a gMSA account. I right click on the PowerShell icon, run as different user, then input domain\msa$ with no password. It errors out about credentials being incorrect.
I've installed the service account on the machine and running the Test-ADServiceAccount return true. I've granted it the 'log on as a service' and 'log on as a batch job' permissions (I don't really think this was needed but tried it anyway and it didn't work).
Any ideas?
Upvotes: 2
Views: 23495
Answers (2)
Reputation: 21
psexec DOES work, at least interactively. On the machine where the gMSA is 'installed' use this:
psexec -u DOMAIN\gMSA_acct$ powershell.exe
When prompted for password just hit enter. That will launch Powershell as the gMSA. You can verify with a WHOAMI from that session.
You could use -p ~ to enter an empty password. This way no interaction is needed.
However this doesn't change the recommendation to run the task as the gMSA. That is 100% correct, you should NOT be running tasks as LocalSystem, especially if you need to access remote resources. Perhaps the file copy task can be split out from the rest.
Upvotes: 2
Reputation: 59798
There are different ways to set up tasks running a PS script with a gMSA, this is what I personally do because I find it easy to do.
- First you need to develop your .ps1 to download the file from your FS with your user or with a service account with permissions to download the file.
- Once the script is tested and running correctly, set up and test a Scheduled Task with your user or service account used in step 1. It's a good idea to configure all the triggers / extra configurations beforehand because once you update the scheduled task you can't modify it without doing all the process again.
- Once the Scheduled Task is fully functional and all triggers set, you proceed to update the task using the gMSA instead of your user or service account. I personally use this:
$taskName = "My Scheduled Task Name"
$gMSAName = (Get-ADServiceAccount gMSA_Name).sAMAccountName # Or hardcode your gMSA Name with a $ at the end
$runLevel = "Highest" # Limited, etc
$principal = New-ScheduledTaskPrincipal -UserID $gmsaName -LogonType Password -RunLevel $runLevel
Set-ScheduledTask -TaskName $taskName -Principal $principal
After running this and if everything went OK, once you re-open the Task Scheduler and search for your task you should see the name of your gMSA here:
Remember, once you update the task if you need to edit it later, Task Scheduler will force you to use a different user and the whole process of updating the task via PS will have to be repeated.
To have in consideration:
- The gMSA will need the same permissions as you or your service account over the File Share to read / modify / etc.
- The server where the task will run has to be a member of the associated Security Group of your gMSA:
(Get-ADServiceAccount gMSA_Name -Properties PrincipalsAllowedToRetrieveManagedPassword).PrincipalsAllowedToRetrieveManagedPassword
This is the associated AD Group and your task server MUST be a member of this group in order to use the gMSA.
Upvotes: 2
Related Questions
- Error on creating Managed Service Account with PowerShell
- Creating a service with a gMSA account using New-Service
- Run Powershell command on Windows 10 startup with admin rights
- Set Windows Service Login to a GMSA Account
- Adding Access Policy for Managed Service Identity
- Create local user as part of Administrator group on Windows 10
- Pin To Start In Proper Group Powershell
- Powershell Group Policy
- How do I set the local administrators group in PowerShell?
- Run logon PowerShell Start-Process not as administrator