question

MichaelFuller-1588 avatar image
0 Votes"
MichaelFuller-1588 asked MichaelFuller-1588 commented

Scheduled Task Cannot connect to Exchange PowerShell with System account

I created a task to run a health report. The task runs under my credential but will not connect to Exchange PowerShell when I run it under the System account. I used transcription and saw that the script was running but failing to connect to any Exchange server to utilize the Exchange commands. I am not sure what could be causing the issue. I do not think it is a permissions issue because it is the Exchange server system account. PS remoting is enabled and there are no issues with PS remoting other than this account. I am running the task with the highest privileges. The script is Test-ExchangeServerHealth.ps1 from GitHub.

205148-image.png


windows-serveroffice-exchange-server-administrationwindows-server-iisoffice-exchange-server-connectivity
image.png (51.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered MichaelFuller-1588 commented

I run local on-prem Exch stuff under a service account that has the needed perms, not the system account. That always works for me.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Unfortunately, saving credentials on a scheduled task is blocked in this environment due to it being a STIG violation. So, that is not an option.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid commented
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Group Managed Service Accounts (gMSA) are not supported in on-premises Exchange Server environments and thus cannot be used to perform Exchange things.

Reference link: https://docs.microsoft.com/en-us/Exchange/architecture/client-access/kerberos-auth-for-load-balanced-client-access?redirectedfrom=MSDN&view=exchserver-2019

0 Votes 0 ·
AndyDavid avatar image AndyDavid MichaelFuller-1588 ·

Would that apply to the account running the scheduled task though?
I assume your actual connection to the Exchange Server in the powershell script itself is using a service account yes?

0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered MichaelFuller-1588 commented

In an AD environment a task running as SYSTEM will be seen as the YourDomainName\YourServerName$ account to another computer. That is the computer account within AD.

Can you grant that account access within Exchange? (I am not an Exchange guy.)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The system account has the permissions of the server. The server has full control of the Exchange environment. You are correct in thinking about permissions because you must have Exchange permissions to connect to Exchange PowerShell. I added the server to Organization Management just to test my sanity. That didn't resolve the issue. I believe the issue is that the System account is not able to provide the necessary credentials to connect. I was hoping someone could prove or disprove that. My work around is to use the system account to schedule the task and use a service account with encrypted credentials within the script to connect to Exchange.

0 Votes 0 ·