Share via

Using gMSA for replacing the Task Scheduler service account?

EnterpriseArchitect 5,376 Reputation points
2024-07-17T07:06:45.8466667+00:00

What steps should I follow to change the current Task Scheduler service account from using the regular AD Account in the format of CORP\service.account to a gMSA?

When I try to change it manually by double-clicking on the task, it prompts for the password after clicking the OK button.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,505 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,903 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,828 questions
0 comments
Accepted answer
  1. Daisy Zhou 23,336 Reputation points Microsoft Vendor
    2024-07-17T11:52:49.78+00:00

    Hello EnterpriseArchitect,

    Thank you for posting in Q&A forum.

    Changing the service account for scheduled tasks to a Group Managed Service Account (gMSA) involves several steps to ensure a smooth transition. Here’s a detailed guide to help you with the process:

    1.Ensure Environment Compatibility: Make sure your environment supports gMSAs. This typically means having a Windows Server 2012 or later domain controller.

    2.Create gMSA: If not already created, a domain administrator will need to create the gMSA.

    Install the gMSA on each server that will use it.

    3.Grant Required Permissions: Ensure that the gMSA has the necessary permissions to run the scheduled tasks.

    4.Change the Task Scheduler Service Account:

    For a single task:

    1.Open Task Scheduler.

    2.Select the task you want to change.

    3.Right-click and select "Properties".

    4.Go to the “General” tab.

    5.In the “Security options” section, click “Change User or Group…”

    6.Enter the gMSA name in the format Domain\gMSAName$ (don’t forget the $ at the end of the gMSA name).

    7.Click “OK”.

    8.Click “OK” again to close the task properties.

    If it prompts for a password, it indicates that Task Scheduler does not recognize the account as a gMSA. Make sure you have entered the correct name with the $ suffix.

    5.Update Service Configuration (if applicable): If your task is tied to a service, update the service configuration to use the gMSA.

    $serviceName = "YourServiceName" $gmsaName = "Domain\gMSAName$" Set-Service -Name $serviceName -Credential $gmsaName -StartupType Automatic

    6.Verify the Changes: Ensure the task runs successfully with the new service account by manually triggering the task and checking if it completes without errors.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.