question

Andre-6953 avatar image
0 Votes"
Andre-6953 asked IanXue-MSFT edited

GMSA unable to run get-scheduledtask

Hello,

I setup 1 task with a GMSA and it works fine.
Then I want to get an email notification if the task was succesfully or not so I setup another schedule task that run with the same GMSA.
In this one I use the command get-scheduletask to have the required info, but I notice that it doesn't work.
To be more detailed, in my current task I put in a variable the get-scheduledtask and, on send-mailmessage it is the subject.
I made a test and in the send-mailmessage I replace the variable in the subject with just a word and it worked so my conclusion is that the GMSA is not able to run the get-scheduledtask.

I checked the NTFS permissions on the task folder, the task file, tried to give the gmsa full control but it keeps not working.

Any suggestion will be much appreciated

Thanks,
Andre

windows-serverwindows-server-powershell
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Just want to confirm the current situation.
If the reply is helpful, please "Accept Answer" to help other community members find it more easily.

1 Vote 1 ·

Can you help to post your script?

0 Votes 0 ·
Andre-6953 avatar image
0 Votes"
Andre-6953 answered Andre-6953 commented

I tried the start-transcript and it confirmed that the gmsa do not see the taskname, so in the send-mailmessage cannot read the body and it doesn't send any emails.
In the task schedule the task result is succesfully.

I setup this script in a couple of different forests, I notice that for 1 of them it works, could be some GPO that block it?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have never worked with managed service accounts, so I can't help you there.

From just a permissions/rights point of view, I do have 2 thoughts... If you just run a " get-scheduledtask" in the script, do any tasks show up in the transcript?

Also add a "whoami.exe /all" to the script. Compare the GROUP and PRIVILEGES INFORMATION sections for the domain that works to one that doesn't.

1 Vote 1 ·

MotoX thank you very much for your suggestion!

Once I run only the get-scheduledtask with the transcript I see that the GMSA can access every tasks only under Microsoft!
I delete and import the tasks under the Microsoft folder and now everything works fine!


Really thank you! :)

0 Votes 0 ·
Andre-6953 avatar image
0 Votes"
Andre-6953 answered

sure, this is the script:

$from = xxxx@contoso.com
$subject = "task result"
$res = get-scheduledtask -taskname "task 1" | Get-ScheduledTaskInfo | Out-String
$log = "c:\results\log.txt"

Send-MailMessage -from $from -to 'xxx@contoso.com' -Subject $subject -smtpserver smtp.contoso.com -body $res -attachments $log

This script run with a GMSA and it doesn't work, if I replace the $res with a single word it works.
The GMSA has full controll to the path of the scheduled tasks and the task files
If I run the task with my account or system it works

I guess there is a permission issue to to get-scheduledtask by I don't know exacley where I can check more

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
0 Votes"
MotoX80 answered

Generate a transcript and see what the error is.

 Start-Transcript -path c:\results\transcript.txt 
 $from = xxxx@contoso.com
 $subject = "task result"
 $res = get-scheduledtask -taskname "task 1" | Get-ScheduledTaskInfo | Out-String
 $log = "c:\results\log.txt"
 Send-MailMessage -from $from -to 'xxx@contoso.com' -Subject $subject -smtpserver smtp.contoso.com -body $res -attachments $log
 Stop-Transcript 

Assuming that you're getting an access denied error, you can enable failure auditing with gpedit.msc. Then check the security event log for errors.

84409-capture.jpg


If you have to dig deeper, (very deep!!) you can use Process Monitor to trace all file and registry access. Search for "access denied".

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon



capture.jpg (70.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.