Windows 2012 introducted Group Managed Service Accounts (gMSA), it allows for stand-alone MSA accounts to be used across multiple computers.
gMSA can be used for schedule task, IIS application pools, Exchange and SQL 2012 which stand alone MSA were not able to do.
Create Root Key
gMSA use the Key Distribution Service (KDS) to enable automatic password management across multiple devices. This requires the follow command to be run and 10 hours before it becomes effective (only has to be done once per forest). If you try to create the service account before the key becomes effective then you get a “Key does not exist” error.
Add-KDSRootKey -EffectiveImmediately
Create Security Group
It is best practice to create a security group and add the computers that will use the gMSA.
Create MSA
Once the security account has been done, the gMSA account can be created. This is done using the same camlet as a stand alone MSA
New-ADServiceAccount -Name ServiceAccount1 -DNSHostName aghads01.company.local -PrincipalsAllowedToDelegateToAccount “Servers”
Name = the name of the Managed Service account
DNSHostName = Host name of DC
PrincipalsAllowedToDelegateToAccount = Security group created above
Install gMSA
A gMSA is installed on the computer like MSA with the Install-ADServiceAccount <gMSA>
Install-ADServiceAccount ServiceAccount1
Test-ADServiceAccount ServiceAccount1
If the test returns $True then everything is ok.
Use gMSA in Scheduled Task
With creating a scheduled task using a gMSA we are unable to use the Task Scheduler UI, therefore it needs to be done in Powershell
$action = New-ScheduledTaskAction “c:\scripts\robocopy.bat”
$trigger = New-ScheduledTaskTrigger -At 23:00 -Daily
$principal = New-ScheduledTaskPrincipal -UserID child\myAdminAccount$ -LogonType Password
Register-ScheduledTask myAdminTask –Action $action –Trigger $trigger –Principal $principal