Is log on as a batch job required for gMSA accounts?

Daniel 61

I am looking for the definitive answer on this one.

This article says you have to add the account to the "log on as a batch job" privilegie

https://woshub.com/group-managed-service-accounts-in-windows-server-2012/

The creator of this forum thread seem to have stumbled upon that it isn't required. But there are no answers.

https://learn.microsoft.com/en-us/answers/questions/922156/gmsa-and-log-on-as-batch-job-privilege-to-run-a-sc?source=docs

What is the answer to this one? And if it is not required, what makes it work?

Is it a combination of the parameters -DNSHostName and -PrincipalsAllowedToRetrieveManagedPassword ? Or is it one of them? Or is it something completely different that is happening behind the scenes in active directory?

Daniel 61 Reputation points

2023-02-03T12:17:57.02+00:00

Silent as the grave...

1 answer

Thameur-BOURBITA 32,496 Reputation points

2023-02-03T13:06:49.2633333+00:00

Hi,

PrincipalsAllowedToRetrieveManagedPassword is required to allow GMSA password retrieved on target server. Without that the GMSA password cannot be used even if GMSA account has permissions to logon as the barch and logob as service permission.

Please don't forget to mark helpful answer as accepted
Please sign in to rate this answer.
Daniel 61 Reputation points

2023-02-06T07:22:30.62+00:00

Ok, thank you. So that paramter is required for it to even work.

So, what about the paramter "DNSHostname"? In the powershell cmdlet new-adserviceaccount that paramter is mandatory and PrincipalsAllowedToRetrieveManagedPassword isn't. What does dnshostname do?

But the question about log on as a batch job still remains. Is the GMSA account required to be in that local security policy group on the windows server to be able to run scheduled tasks on the server?

Thameur-BOURBITA 32,496 Reputation points

2023-02-07T16:11:31.81+00:00

Hi @Daniel

What does dnshostname do?

It's the FQDN of gmSA like DNSHOSTName attibut in computer object. For the mement,the DNSHostname is required when you create the GMSA account bit it's not used because there is no DNS record with FQDN of GMSA like the computer object.

But the question about log on as a batch job still remains. Is the GMSA account required to be in that local security policy group on the windows server to be able to run scheduled tasks on the server?

As I mentioned in my previous answer , yes GMSA need be granted log as the batch to be able to run schedule tasks on the server. For that you can use Group Policy Object or local Policy.

Please don't forget to mark helpful answer as accepted

Thameur-BOURBITA 32,496 Reputation points

2023-02-13T10:11:14.7566667+00:00

Hi @Daniel

Just checking if there is any update or prgress ?

Please don't forget to mark helpful as accepted

Daniel 61 Reputation points

2023-02-16T09:14:16.06+00:00

Hi Thameur,

Now I have had the time to do some testing.

I created a GMSA account and had it run a scheduled task, it ran a powershell script that only creates a text file in a folder.

The GMSA account is not a member of the local security policy group "log on as a batch job".

The next test I did was changing the property on the GMSA account, "PrincipalsAllowedToRetrieveManagedPassword". I changed it to a random other server name. Not the server which hosts the scheduled task. And it still works! The script ran and the text file was created.

So, again, can someone explain to me how this really works? Preferably documentation from microsoft.
Sign in to comment