Forum Discussion

gabrielluizbh's avatar
Mar 08, 2022

gmsa account - running windows tasks.

I created a gmsa account, installed it on the server to run the scheduled task on windows.

Enter the gmsa account as domain administrator and dhcp administrator, since the script that the task will execute is a task of the dhcp server.

Enter the gmsa account in Log on as a batch job.

Even so, the error occurs when executing the task in the task scheduler.

 

 

8 Replies

  • Mcarvalho77's avatar
    Mcarvalho77
    Copper Contributor
    have you added the gMSA account into the computer ?
    in Powershell:
    Install-ADServiceAccount -Identity "gMSA-account"
  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    gabrielluizbh 

     

    That error code translates to:

    >net helpmsg 1385
    >Logon failure: the user has not been granted the requested logon type at this computer.

     

    So, even though you say you've granted that right, somehow, it's either not taking effect or not enough on its own.

     

    With respect to "taking effect", use something like "gpresult /h rsop.html /scope computer" to generate and inspect the resultant set of policy. If the account is not listed in the "Log on as batch job" then you should also be able to see in that same report which group policy is overriding the method you used.

     

    If it is listed then the "logon as batch job" is not enough on its own, but since there's not many others that are relevant (see the TASK_LOGON_TYPE enumeration below), it'd be unusual to encounter this.

     

    If anything's missing, it'd likely be the "interactive" right, which could be the case of Domain Admins is not actually a member of the local Administrators group (if this is a member server) or Domain Admins has actually been denied certain logon types or scopes of computers (again, unlikely outside of high security environments).

     

    It would be more likely that your attempt to provide the right has been overridden by something else (or simply didn't work to begin with.)

     

    TASK_LOGON_TYPE (taskschd.h) - Win32 apps | Microsoft Docs

     

    In any case, check the resultant set of policy to verify which accounts have which of the different kinds of logon rights.

     

    Cheers,

    Lain

  • If you use a Start-Transcript c:\temp\log.txt in the script, can you see if it even starts the script and why it fails?

Resources