Get-CertificationAuthority returns nothing in a script launched by scheduled task that uses a gMSA

[SamErde]

I have a PowerShell script running as a scheduled task that uses a gMSA as the identity to execute the action.

The script works when run interactively in PowerShell 5.1 and PowerShell 7.3.6.

When run in the scheduled task as a gMSA the Get-CA / Get-CertificationAuthority cmdlet does not get any CAs. Even using -Verbose fails to create any output (I added extra logging to the script for troubleshooting). However, if I run the scheduled task as a normal user account, the cmdlets all work fine.

Any idea why this cmdlet would fail as a gMSA?

[Crypt32]

As we discussed this in twitter, main problem is insufficient permissions and rights assigned to gMSA account when it runs a process from scheduled task. When running under the task scheduler the user account has much less access to local resources because account is not automatically promoted to Users group via special groups (like Interactive). The workaround in this case is to explicitly add your service account to local Users group.

[SamErde]

Yes, thanks for that great tip! Unfortunately, I'm stumped and little frustrated again because I got it to work after adding the gMSA to the local Users group--then I updated the scheduled task to run my production script instead of my test script, and now I can't get either to work again. Back at square one until I figure out the missing piece.

[Crypt32]

In any way, this, unfortunately, is environment issue, gMSA lacks some permissions. There is nothing to fix in the code, you need to figure out which permissions your gMSA lacks. It isn't an easy task since you can't log in with gMSA and see what is wrong.

Maybe, you should start with testing whoami /all for gMSA in scheduled task to see group membership and privileges.

[SamErde]

Agreed. I'm certainly not trying to present this as an issue with the code. Just curious if you or anyone else has encountered this and found a way around the way that gMSAs work. Thanks for your help! I'll post here if I find a consistently working solution.

[Crypt32]

Specifically, I never tested it in scheduled task with gMSA account. It does work with normal user accounts though.

[SamErde]

Not actively using or testing this approach anymore.