How to Configure Scheduled Tasks with Group Managed Service Account (gMSA) in Windows Server


4 views

Group Managed Service Accounts (gMSA) were introduced in Windows Server 2012 to overcome limitations of standalone MSAs. Unlike traditional service accounts, gMSAs provide automatic password management and simplified SPN management across multiple servers.

  • Windows Server 2012 or later domain functional level
  • Active Directory PowerShell module installed
  • KDS Root Key created (for password generation)
  • Target servers added to gMSA's PrincipalsAllowedToRetrieveManagedPassword group

First, create the KDS root key if not already present:

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

Then create the gMSA account:

New-ADServiceAccount -Name MyTaskAccount 
-DNSHostName MyTaskAccount.domain.com 
-PrincipalsAllowedToRetrieveManagedPassword "SERVER1$","SERVER2$" 
-KerberosEncryptionType AES128,AES256

Install the gMSA on the member server:

Install-ADServiceAccount -Identity MyTaskAccount

The key step most administrators miss is the proper syntax for referencing the gMSA in Task Scheduler. Here's the correct PowerShell command:

$Action = New-ScheduledTaskAction -Execute "powershell.exe" 
-Argument "-File C:\Scripts\MyScript.ps1"
$Principal = New-ScheduledTaskPrincipal 
-UserID "DOMAIN\MyTaskAccount$" 
-LogonType Password
Register-ScheduledTask -TaskName "gMSA Task" 
-Action $Action -Principal $Principal

If you encounter "The object cannot be found" errors:

  1. Verify the gMSA is properly installed: Test-ADServiceAccount -Identity MyTaskAccount
  2. Ensure the server has permission to retrieve the password: check PrincipalsAllowedToRetrieveManagedPassword
  3. Use the correct account format: DOMAIN\AccountName$ (with trailing $)
  4. Confirm the task is created on a domain-joined computer

When using gMSAs:

  • Grant only the minimum required permissions to the account
  • Regularly audit which servers can retrieve the password
  • Use constrained delegation when accessing network resources
  • Combine with Just Enough Administration (JEA) for PowerShell tasks

For more complex scenarios, here's how to set up a task with triggers and conditions:

$Trigger = New-ScheduledTaskTrigger -Daily -At 3am
$Settings = New-ScheduledTaskSettingsSet 
-StartWhenAvailable 
-DontStopOnIdleEnd 
-AllowStartIfOnBatteries 
-DontStopIfGoingOnBatteries

Register-ScheduledTask -TaskName "Nightly Maintenance" 
-Action $Action -Principal $Principal 
-Trigger $Trigger -Settings $Settings

Group Managed Service Accounts (gMSAs) represent a significant security improvement over traditional service accounts in Windows environments. Unlike standalone MSAs that require manual password management, gMSAs automatically handle password rotation and can be shared across multiple servers within a domain.

Before implementing gMSA with Task Scheduler, ensure your environment meets these requirements:

  • Windows Server 2012 or later domain functional level
  • Key Distribution Service (KDS) root key configured
  • Proper permissions to create and manage gMSAs
  • Target servers must be domain-joined Windows Server 2012 or later

Here's the complete process to set up a scheduled task with gMSA:

1. Create the gMSA Account

# PowerShell command to create gMSA
New-ADServiceAccount -Name "TaskRunner" 
    -DNSHostName "TaskRunner.domain.com" 
    -PrincipalsAllowedToRetrieveManagedPassword "SERVER1$","SERVER2$" 
    -KerberosEncryptionType AES256

2. Install gMSA on Target Server

# On each member server that needs to use the account
Install-ADServiceAccount -Identity "TaskRunner"
Test-ADServiceAccount -Identity "TaskRunner"  # Verify installation

3. Configure Scheduled Task

Use PowerShell to create the task with proper gMSA authentication:

$action = New-ScheduledTaskAction -Execute "PowerShell.exe" 
    -Argument "-File C:\Scripts\BackupJob.ps1"

$principal = New-ScheduledTaskPrincipal -UserID "DOMAIN\TaskRunner$" 
    -LogonType Password 
    -RunLevel Highest

$trigger = New-ScheduledTaskTrigger -Daily -At 3am

Register-ScheduledTask -TaskName "NightlyBackup" 
    -Action $action 
    -Trigger $trigger 
    -Principal $principal
  • "Object cannot be found" error: Verify DNS registration of the gMSA account and ensure proper SPN configuration
  • Access denied errors: Check if the server has permission to retrieve the gMSA password (PrincipalsAllowedToRetrieveManagedPassword)
  • Task fails to start: Verify the gMSA has necessary permissions to execute the target script/application

For complex scenarios, consider these additional parameters:

# Example with additional security constraints
$settings = New-ScheduledTaskSettingsSet 
    -DontStopOnIdleEnd 
    -StartWhenAvailable 
    -DontStopIfGoingOnBatteries 
    -RunOnlyIfNetworkAvailable

Register-ScheduledTask -TaskName "SecureTask" 
    -Action $action 
    -Trigger $trigger 
    -Principal $principal 
    -Settings $settings
  • Always specify the exact servers allowed to use the gMSA (PrincipalsAllowedToRetrieveManagedPassword)
  • Use constrained delegation when the task needs to access network resources
  • Regularly audit gMSA usage with Get-ADServiceAccount cmdlet
  • Combine gMSA with Just Enough Administration (JEA) for PowerShell tasks