GMSA unable to run get-scheduledtask

asked 2021-04-02T17:47:28.977+00:00
Andrea Saba 101 Reputation points

Hello,

I setup 1 task with a GMSA and it works fine.
Then I want to get an email notification if the task was succesfully or not so I setup another schedule task that run with the same GMSA.
In this one I use the command get-scheduletask to have the required info, but I notice that it doesn't work.
To be more detailed, in my current task I put in a variable the get-scheduledtask and, on send-mailmessage it is the subject.
I made a test and in the send-mailmessage I replace the variable in the subject with just a word and it worked so my conclusion is that the GMSA is not able to run the get-scheduledtask.

I checked the NTFS permissions on the task folder, the task file, tried to give the gmsa full control but it keeps not working.

Any suggestion will be much appreciated

Thanks,
Andre

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,146 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,616 questions
{count} votes

Accepted answer
  1. answered 2021-04-05T13:52:18.62+00:00
    Andrea Saba 101 Reputation points

    I tried the start-transcript and it confirmed that the gmsa do not see the taskname, so in the send-mailmessage cannot read the body and it doesn't send any emails.
    In the task schedule the task result is succesfully.

    I setup this script in a couple of different forests, I notice that for 1 of them it works, could be some GPO that block it?


2 additional answers

Sort by: Most helpful
  1. answered 2021-04-05T12:30:13.227+00:00
    Andrea Saba 101 Reputation points

    sure, this is the script:

    $from = xxxx@Company portal .com
    $subject = "task result"
    $res = get-scheduledtask -taskname "task 1" | Get-ScheduledTaskInfo | Out-String
    $log = "c:\results\log.txt"

    Send-MailMessage -from $from -to 'xxx@Company portal .com' -Subject $subject -smtpserver smtp.contoso.com -body $res -attachments $log

    This script run with a GMSA and it doesn't work, if I replace the $res with a single word it works.
    The GMSA has full controll to the path of the scheduled tasks and the task files
    If I run the task with my account or system it works

    I guess there is a permission issue to to get-scheduledtask by I don't know exacley where I can check more

    No comments

  2. answered 2021-04-05T13:14:19.007+00:00
    MotoX80 23,491 Reputation points

    Generate a transcript and see what the error is.

    Start-Transcript -path c:\results\transcript.txt   
    $from = xxxx@contoso.com  
    $subject = "task result"  
    $res = get-scheduledtask -taskname "task 1" | Get-ScheduledTaskInfo | Out-String  
    $log = "c:\results\log.txt"  
    Send-MailMessage -from $from -to 'xxx@contoso.com' -Subject $subject -smtpserver smtp.contoso.com -body $res -attachments $log  
    Stop-Transcript   
    

    Assuming that you're getting an access denied error, you can enable failure auditing with gpedit.msc. Then check the security event log for errors.

    84409-capture.jpg

    If you have to dig deeper, (very deep!!) you can use Process Monitor to trace all file and registry access. Search for "access denied".

    https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

    No comments