GMSA unable to run get-scheduledtask

Andrea Saba 101 Reputation points
2021-04-02T17:47:28.977+00:00

Hello,

I setup 1 task with a GMSA and it works fine.
Then I want to get an email notification if the task was succesfully or not so I setup another schedule task that run with the same GMSA.
In this one I use the command get-scheduletask to have the required info, but I notice that it doesn't work.
To be more detailed, in my current task I put in a variable the get-scheduledtask and, on send-mailmessage it is the subject.
I made a test and in the send-mailmessage I replace the variable in the subject with just a word and it worked so my conclusion is that the GMSA is not able to run the get-scheduledtask.

I checked the NTFS permissions on the task folder, the task file, tried to give the gmsa full control but it keeps not working.

Any suggestion will be much appreciated

Thanks,
Andre

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,127 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,364 questions
Accepted answer
  1. Andrea Saba 101 Reputation points
    2021-04-05T13:52:18.62+00:00

    I tried the start-transcript and it confirmed that the gmsa do not see the taskname, so in the send-mailmessage cannot read the body and it doesn't send any emails.
    In the task schedule the task result is succesfully.

    I setup this script in a couple of different forests, I notice that for 1 of them it works, could be some GPO that block it?

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrea Saba 101 Reputation points
    2021-04-05T12:30:13.227+00:00

    sure, this is the script:

    $from = xxxx@Company portal .com
    $subject = "task result"
    $res = get-scheduledtask -taskname "task 1" | Get-ScheduledTaskInfo | Out-String
    $log = "c:\results\log.txt"

    Send-MailMessage -from $from -to 'xxx@Company portal .com' -Subject $subject -smtpserver smtp.contoso.com -body $res -attachments $log

    This script run with a GMSA and it doesn't work, if I replace the $res with a single word it works.
    The GMSA has full controll to the path of the scheduled tasks and the task files
    If I run the task with my account or system it works

    I guess there is a permission issue to to get-scheduledtask by I don't know exacley where I can check more

    0 comments
  2. MotoX80 31,571 Reputation points
    2021-04-05T13:14:19.007+00:00

    Generate a transcript and see what the error is. 

    Start-Transcript -path c:\results\transcript.txt   
$from = xxxx@contoso.com  
$subject = "task result"  
$res = get-scheduledtask -taskname "task 1" | Get-ScheduledTaskInfo | Out-String  
$log = "c:\results\log.txt"  
Send-MailMessage -from $from -to 'xxx@contoso.com' -Subject $subject -smtpserver smtp.contoso.com -body $res -attachments $log  
Stop-Transcript

    Assuming that you're getting an access denied error, you can enable failure auditing with gpedit.msc. Then check the security event log for errors.

    84409-capture.jpg

    If you have to dig deeper, (very deep!!) you can use Process Monitor to trace all file and registry access. Search for "access denied".

    https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

    0 comments