So I am trying to start using Group Managed Service Accounts rather than the old school create a user account and be done with it for my scheduled tasks. This combined with some other security measures I’m putting in place should help lower the damage a malicious being could do should they somehow get a privileged account significantly, and it generally just makes way more sense. All that being said, I ran into a little issue trying to run a scheduled task as one of these Group Managed Service Accounts I have created (don’t worry, I’ll have a post about how to do that soon). You can’t just add them with the GUI as you would expect, you have to use CLI (at least to my knowledge you have to). I stumbled across this TechNet post that helped me come to the following solution. Again, this is assuming you have your Group Managed Service Account configured correctly.
1.) Create your Scheduled Task as you normally would, but disregard the Security Options (we’ll be changing those in a second)
2.) Once that is created, open a PowerShell window as administrator
3.) Run the following:
schtasks /change /TN \RandomTaskName /RU DOMAIN\gMSA_Name$ /RP
4.) When it asks for a password, leave it blank and hit enter
That’s it! You can refresh your Task Scheduler window to see the updated Security Options.