Advanced Task Scheduler Service under Group managed service account

Advanced Task Scheduler Service can run under a Group managed service account (gMSA) providing that the account is a member of local Administrators group.

How to add gMSA into local Administrators group

• Open "Command Prompt" with administrator rights
• net localgroup Administrators "<Domain Name>/<gMSA Name>" /add

How to assign gMSA to a service

• Press "Windows" + "R" key to open Run Command Box
• Enter "services.msc" to open Services snap-in console
• Right-click service -> "Properties"
• Select "Log On" tab -> Click "This account" -> Enter "<Domain Name>/<gMSA Name>"
• "Password" must be blank -> Click "OK"
• Click "Restart" to restart service

Click the picture to enlarge.

Local Administrators group

If your Group managed service account is not a member of local Administrators group, the service may be stuck initializing with the message about non-writable tasks.sqlite in the "Event Viewer". Even though that can be fixed by changing file permissions, administrator rights are still required to run tasks from service, otherwise tasks will not start with access denied or permissions error.

Task execution account

The Advanced Task Scheduler Service can run tasks under gMSA accounts.

To run a task under the same gMSA account as the service itself, select the "Service user " on the "User Account Options" tab of the "Task Properties" window.

To run a task under another gMSA account, select the "Start this task under the following account" on the "User Account Options" tab of the "Task Properties" window. You'll need to enter your gMSA account name and use "_SA_{262E99C9-6160-4871-ACEC-4E61736B6F21}" as the password.

Also note that the service must run under an account with "Act as part of the operating system" (SeTcbPrivilege) and "Replace a process-level token" (SeAssignPrimaryTokenPrivilege) privileges.

Categories: Task scheduler