gmsa account - running windows tasks.


I created a gmsa account, installed it on the server to run the scheduled task on windows.

Enter the gmsa account as domain administrator and dhcp administrator, since the script that the task will execute is a task of the dhcp server.

Enter the gmsa account in Log on as a batch job.

Even so, the error occurs when executing the task in the task scheduler.




8 Replies
If you use a Start-Transcript c:\temp\log.txt in the script, can you see if it even starts the script and why it fails?
Did you manage to fix your issue?
Não conseguir solucionar.
Can't get fix.

And if it's a member directly of the local administrators group? 

@Gabriel Luiz 


That error code translates to:

>net helpmsg 1385
>Logon failure: the user has not been granted the requested logon type at this computer.


So, even though you say you've granted that right, somehow, it's either not taking effect or not enough on its own.


With respect to "taking effect", use something like "gpresult /h rsop.html /scope computer" to generate and inspect the resultant set of policy. If the account is not listed in the "Log on as batch job" then you should also be able to see in that same report which group policy is overriding the method you used.


If it is listed then the "logon as batch job" is not enough on its own, but since there's not many others that are relevant (see the TASK_LOGON_TYPE enumeration below), it'd be unusual to encounter this.


If anything's missing, it'd likely be the "interactive" right, which could be the case of Domain Admins is not actually a member of the local Administrators group (if this is a member server) or Domain Admins has actually been denied certain logon types or scopes of computers (again, unlikely outside of high security environments).


It would be more likely that your attempt to provide the right has been overridden by something else (or simply didn't work to begin with.)


TASK_LOGON_TYPE (taskschd.h) - Win32 apps | Microsoft Docs


In any case, check the resultant set of policy to verify which accounts have which of the different kinds of logon rights.




have you added the gMSA account into the computer ?
in Powershell:
Install-ADServiceAccount -Identity "gMSA-account"