Using gMSA for replacing the Task Scheduler service account?

Question

Using gMSA for replacing the Task Scheduler service account?

EnterpriseArchitect 6,301

What steps should I follow to change the current Task Scheduler service account from using the regular AD Account in the format of CORP\service.account to a gMSA?

When I try to change it manually by double-clicking on the task, it prompts for the password after clicking the OK button.

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Anonymous

Hello EnterpriseArchitect,

Thank you for posting in Q&A forum.

Changing the service account for scheduled tasks to a Group Managed Service Account (gMSA) involves several steps to ensure a smooth transition. Here’s a detailed guide to help you with the process:

1.Ensure Environment Compatibility: Make sure your environment supports gMSAs. This typically means having a Windows Server 2012 or later domain controller.

2.Create gMSA: If not already created, a domain administrator will need to create the gMSA.

Install the gMSA on each server that will use it.

3.Grant Required Permissions: Ensure that the gMSA has the necessary permissions to run the scheduled tasks.

4.Change the Task Scheduler Service Account:

For a single task:

1.Open Task Scheduler.

2.Select the task you want to change.

3.Right-click and select "Properties".

4.Go to the “General” tab.

5.In the “Security options” section, click “Change User or Group…”

6.Enter the gMSA name in the format Domain\gMSAName$ (don’t forget the $ at the end of the gMSA name).

7.Click “OK”.

8.Click “OK” again to close the task properties.

If it prompts for a password, it indicates that Task Scheduler does not recognize the account as a gMSA. Make sure you have entered the correct name with the $ suffix.

5.Update Service Configuration (if applicable): If your task is tied to a service, update the service configuration to use the gMSA.

$serviceName = "YourServiceName" $gmsaName = "Domain\gMSAName$" Set-Service -Name $serviceName -Credential $gmsaName -StartupType Automatic

6.Verify the Changes: Ensure the task runs successfully with the new service account by manually triggering the task and checking if it completes without errors.

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

EnterpriseArchitect 6,301 Reputation points

2024-07-17T12:38:48.26+00:00
Hi @Daisy Zhou ,
Yes, I am using the below script,

$principal = New-ScheduledTaskPrincipal -UserID "DOMAIN\gmsaName$" -LogonType ServiceAccount -RunLevel Highest Set-ScheduledTask -TaskName "My TaskName" -Principal $principal

Before the script is running:

However, the task scheduler has become like below, with the yellow highlighted entry unchecked.

Does the above really matter when the Task Scheduler is executed as gMSA?

EnterpriseArchitect 6,301

@Anonymous ,
If I changed the command to Password:

$principal = New-ScheduledTaskPrincipal -UserID "DOMAIN\gmsaName$" -LogonType Password -RunLevel Highest
Set-ScheduledTask -TaskName "My TaskName" -Principal $principal

There is an error thrown:

Set-ScheduledTask : The user name or password is incorrect. At line:21 char:1
Set-ScheduledTask
    + CategoryInfo          : AuthenticationError: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Set-ScheduledTask], CimException
    + FullyQualifiedErrorId : HRESULT 0x8007052e,Set-ScheduledTask

Anonymous

2024-07-17T12:56:57.6733333+00:00
Hello

Does it need password when you use CORP\service.account?

Do you deploy Scheduled Tasks via GPO GPP? If so, The following Group Policy Preferences will no longer allow user names and passwords to be saved:

Drive Maps

Local Users and Groups

Scheduled Tasks

Services

Data Sources

For more information, please read here.
https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30

Best Regards,
Daisy Zhou
EnterpriseArchitect 6,301 Reputation points

2024-07-17T13:01:00.21+00:00

No, the scheduled task was manually created.

Do I have to do something on the gMSA so I can use the -LogonType Password?
Because that is seems the only way to make sure the Task is run whether user is logged on or not.

Answer 2

Mukesh Agarwal 65

You can't replace a service account with GMSA on task scheduler using GUI.

Either you need to create a new task with the GMSA using PowerShell or use the option below to replace the existing service account on an existing task-

schtasks /change /TN \test_gmsa_task /RU contoso\testgmsa$ /RP

Please upvote and comment if this was beneficial for you.

Marcus T 10 Reputation points

2025-04-15T06:34:24.72+00:00

This is the trick I was looking for. Thanks!
Ray 10 Reputation points

2025-05-28T18:46:23.12+00:00

Disregard, thanks for posting this
John Curtiss 76 Reputation points

2025-08-11T20:56:57.9033333+00:00

schtasks /change /TN [taskname] /RU [domain][[gmsa$] /RP

schtasks : WARNING: When the run-as password is empty, the scheduled task may not run because of the security policy.

ERROR: The user name or password is incorrect.
Doug Maurer 10 Reputation points

2025-09-05T22:54:30.1033333+00:00

Why would you think you can't set it via the GUI? Can't you just change the options to list/find the service account, select it, and just leave the password field blank. Same way you do in the services.msc gui, just blank out the password fields and good to go?
Mukesh Agarwal 65 Reputation points

2025-11-13T10:00:37.9966667+00:00

No Sir, You can't do that on task manager properties.
Mukesh Agarwal 65 Reputation points

2025-11-13T10:01:25.7+00:00

@John Curtiss is your issue resolved? Sorry, I did not check this space for long

Share via

Using gMSA for replacing the Task Scheduler service account?

1 additional answer

Your answer