This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 65%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECN%3C/text%3E%3C/svg%3E)
Hi folks,
I was definitely sure that a gMSA needs "logon as a batch job" to run a scheduled task. But I've noticed on one of our servers that a scheduled task launch by a gMSA was running fine although the gMSA was missing this privilege !
So today I've installed a new DC from scratch in an isolated environment and I get the same result. Can someone please check on his server if a scheduled task launched by a gMSA can run if the gMSA doesn't have a "log on as a batch job" privilege ?
Thank you.
Chris
Did you check the account rights before or after the scheduled task was created?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 60%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFA%3C/text%3E%3C/svg%3E)
Hello, I wonder this aswell. Why does it work without being a member of the group "LogonAsBatch"?
Is it because of this property "PrincipalsAllowedToRetrieveManagedPassword" on the serviceaccount (gMSA)?
By default members of the local Administrators group have the logon as batch privilege
From what I can see our gMSA account is not a member of the Administrators group but is still able to run script from the Windows Task Scheduler. How is this possible?
a gMSA account is not a member of the local administrators group by default. It's a non privileged account by default.
If you use Process Explorer to examine a process running under the gMSA account what group sids are shown in the Security tab?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.
Yes, in order to run tasks in the Task Scheduler, gMSA accounts must logon as a batch job. Furthermore, it's crucial to confirm that the gMSA account has the authorizations required to access the resources it need to finish the task. This entails giving the account the required user rights in addition to the access privileges it needs to use shared network resources.
If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.
