This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Based on: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-group-managed
I'm trying to implement the gMSA for the following scenario:
Would that be working for the above scenario or will cause some issues?
I would appreciate any assistance you can provide.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @EnterpriseArchitect ,
Please don't forget to mark helpful answer as accepted
Thank you @Thameur-BOURBITA , Is there any URL for the gMSA support so I know which one can be supported and which cannot?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query
This should work. But what I can suggest is try to adjust your permission or the permission for the gMSA to make sure that the service account required access has it. In addition, it depends on your service accounts. You maybe need configuring Kerberos delegation so that the required authentication for the services will be provided for the gMSA.
If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.
Which one works?
Hi, while running service with GMSA, you need to keep the password blank. However, for task scheduler blank password does not work.
You need to create, configure task using PowerShell if you want to run it using GMSA. Also, you can create a task with normal account and define parameters. Later, you can run the command below to replace the normal user account with GMSA
schtasks /change /TN \test_gmsa_task /RU contoso\testgmsa$ /RP
Note: The command is not documented in any Microsoft documents but it does it's work. However, if it does not work for some reason, you may not get support from Microsoft to troubleshoot why it does not work.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 18%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE2%3C/text%3E%3C/svg%3E)
Your answer works. ChatGPT couldn't figure it out. Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 84%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEG%3C/text%3E%3C/svg%3E)
@Mukesh Agarwal , following your suggestion I'm getting this error:
PS C:\WINDOWS\system32> schtasks /change /TN \"Test InQuote - Stage distances CSVs" /RU domain\it015-p-dbaa00$ /RP
WARNING: When the run-as password is empty, the scheduled task may not run because of the security policy.
ERROR: The user name or password is incorrect.
I've also tried to set the principal this way:
PS C:\WINDOWS\system32> $principal = New-ScheduledTaskPrincipal -UserId 'EMEA\IT015-P-DBAA00$' -LogonType Password -RunLevel Highest
PS C:\WINDOWS\system32> Register-ScheduledTask -Action $action -Trigger $trigger -Principal $principal -TaskName "Test InQuote - Stage distances CSVs"
Register-ScheduledTask : The user name or password is incorrect.
At line:1 char:1
+ Register-ScheduledTask -Action $action -Trigger $trigger -Principal $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : AuthenticationError: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Register-Sche
duledTask], CimException
+ FullyQualifiedErrorId : HRESULT 0x8007052e,Register-ScheduledTask
Any clue?
Thanks
Oops sorry, I did not notice this command earlier and have checked it after really a long time.
I see you used the command as "domain\it015-p-dbaa00$ /RP" where the domain was supposed to be netbios name of your domain. You need to replace it with your actual domain name.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
Hi @limitless technology & @thameur,
How do you type in the password for gMSA when it is used as a Service account and Task Scheduler?
Hi
You don’t need to type password,
you have just specify the account name .