I am looking for the definitive answer on this one.
This article says you have to add the account to the "log on as a batch job" privilegie
https://woshub.com/group-managed-service-accounts-in-windows-server-2012/
The creator of this forum thread seem to have stumbled upon that it isn't required. But there are no answers.
https://learn.microsoft.com/en-us/answers/questions/922156/gmsa-and-log-on-as-batch-job-privilege-to-run-a-sc?source=docs
What is the answer to this one? And if it is not required, what makes it work?
Is it a combination of the parameters -DNSHostName and -PrincipalsAllowedToRetrieveManagedPassword ? Or is it one of them? Or is it something completely different that is happening behind the scenes in active directory?