Group Managed Service Accounts (gMSAs) provide automatic password management and simplified service principal name (SPN) management for services running across multiple servers. They eliminate the need to manually update service account passwords and reduce security risks associated with shared passwords.
What gMSAs Do:
gMSAs automatically handle password rotation (every 30 days by default), provide Kerberos authentication support, and allow the same service account to run services on multiple computers within your domain. The domain controllers manage the password complexity and changes, while authorized computers can retrieve the current password when needed.
Why Use gMSAs:
They reduce administrative overhead by eliminating manual password changes, improve security through automatic complex password rotation, support high availability scenarios where services run on multiple servers, and provide better audit trails for service account usage.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
How to set up a scheduled task with the Task Scheduler gMSA:
There is a gMSA already made in AD called "gMSA_schtsk".
Setting up service account to run scheduled tasks inside a server required these prerequisites:
1. Adding necessary permissions to the gMSA to run the scheduled task:
These needed security ACL's will have to be delegated inside AD.
2. Adding the host the scheduled task will run on inside the server farm connected with gMSA_schtsk.
gMSA's require a server farm. The server farm allows each host inside it to be able to manage the gMSA and access its resources (ex: password since it is not persistent). The server farm connected to gMSA_schtsk is "schtskgmsa_access" and can be found at "CN=schtskgmsa_access,OU=gMSA Farm,OU=Groups,OU=NWFSC,DC=NWFSC,DC=EDU"
3. Allow the gMSA to log in as a batch job:
Open secpol.msc as admin. Go to Local policies>User Rights Assignment>Log on as a batch job. Add the gMSA to that list.
4. Install RSAT:
The server needs RSAT to import the powershell Active Directory module for the next step.
5. Install the gMSA:
Open Powershell as admin. Run:
Install-ADServiceAccount -Identity gMSA_schtsk
NOTE: If at any point at this step or later it gives you "Access is Denied" errors, you need to restart the machine.
After that runs, verify that this CMD returns true:
Test-ADServiceAccount -Identity gMSA_schtsk
6. Create the scheduled task:
NOTE: You can create the scheduled task through PowerShell but it is very complex for most scheduled tasks. I will not be talking about this method.
Create the scheduled task in the GUI, configure it exactly how you want it, and then set the account it runs as under the account you are using to log in. This will be temporary. (ex: if you are logged into the server with a domain admin account, run the task under yours)
7. Replace the account it runs as with the gMSA account
Download the script that is attached, open it and modify the $taskname variable to the name of the scheduled task. Run the script on the host machine.