This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 83%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I am looking for the definitive answer on this one.
This article says you have to add the account to the "log on as a batch job" privilegie
https://woshub.com/group-managed-service-accounts-in-windows-server-2012/
The creator of this forum thread seem to have stumbled upon that it isn't required. But there are no answers.
What is the answer to this one? And if it is not required, what makes it work?
Is it a combination of the parameters -DNSHostName and -PrincipalsAllowedToRetrieveManagedPassword ? Or is it one of them? Or is it something completely different that is happening behind the scenes in active directory?
Silent as the grave...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
PrincipalsAllowedToRetrieveManagedPassword is required to allow GMSA password retrieved on target server. Without that the GMSA password cannot be used even if GMSA account has permissions to logon as the barch and logob as service permission.
Please don't forget to mark helpful answer as accepted
Ok, thank you. So that paramter is required for it to even work.
So, what about the paramter "DNSHostname"? In the powershell cmdlet new-adserviceaccount that paramter is mandatory and PrincipalsAllowedToRetrieveManagedPassword isn't. What does dnshostname do?
But the question about log on as a batch job still remains. Is the GMSA account required to be in that local security policy group on the windows server to be able to run scheduled tasks on the server?
Hi @Daniel
What does dnshostname do?
It's the FQDN of gmSA like DNSHOSTName attibut in computer object. For the mement,the DNSHostname is required when you create the GMSA account bit it's not used because there is no DNS record with FQDN of GMSA like the computer object.
But the question about log on as a batch job still remains. Is the GMSA account required to be in that local security policy group on the windows server to be able to run scheduled tasks on the server?
As I mentioned in my previous answer , yes GMSA need be granted log as the batch to be able to run schedule tasks on the server. For that you can use Group Policy Object or local Policy.
Please don't forget to mark helpful answer as accepted
Hi @Daniel
Just checking if there is any update or prgress ?
Please don't forget to mark helpful as accepted
Hi Thameur,
Now I have had the time to do some testing.
I created a GMSA account and had it run a scheduled task, it ran a powershell script that only creates a text file in a folder.
The GMSA account is not a member of the local security policy group "log on as a batch job".
The next test I did was changing the property on the GMSA account, "PrincipalsAllowedToRetrieveManagedPassword". I changed it to a random other server name. Not the server which hosts the scheduled task. And it still works! The script ran and the text file was created.
So, again, can someone explain to me how this really works? Preferably documentation from microsoft.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 35%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hi @Daniel ,
I can answer at least part of this question - the machine being in the PrincipalsAllowedToRetrieveManagedPassword list is required when the gMSA is installed or when the password changes. So the machine will locally cache the password once installed, and as a result - if you were to remove the machine from PrincipalsAllowedToRetrieveManagedPassword after that point, any services using the gMSA could continue running on that machine in theory until the password rotates again (which happens every 30 days by default). At that time, the machine would need to retrieve the new password from AD and would not be able to since it is no longer in this list, and then the service would crash/fail.
As far as your other question however - why gMSAs don't appear to need to be explicitly granted the "log on as a batch job" right in order to do things that normally require this, such as running scheduled tasks or IIS app pools - that I do not know. I can say with confidence it has nothing to do with -PrincipalsAllowedToRetrieveManagedPassword nor with the -DNSHostName option...DNSHostName is really just a holdover from the computer account lineage of a gMSA (since a gMSA is sort of a blend between a computer and user account, so it inherits some properties of both)...just set it to the FQDN of the gMSA (e.g. gmsa.domain.com).
But back to the batch logon rights thing - I've found only this thread and the other one you linked talking about this, and indeed it does seem to be the case in my environment as well. In addition, this seems to be the case not only for gMSAs but also for the built-in IIS app pool identities - see my other question here from 6 years ago asking this question that unfortunately nobody had the answer to:
UPDATE: After doing some more testing and research just now, I think I may have figured out why this is the case (at least for IIS).
If we use the accesschk tool from Sysinternals to check the token contents of the process in question (w3wp.exe in my case, which is the IIS app pool worker process), when the process is running under a traditional domain account we can see that one of the "groups" listed is NT AUTHORITY\BATCH. This is a "special identity group" that contains all users and/or processes that are accessing the system as a batch job or through the batch queue.
An example command to check this would be something like:
accesschk <PID> -p -f
(where <PID> is the process ID of the process in question)
Now if we run the same command against the PID of an IIS worker process from an app pool configured to run as a gMSA, we see something different - it is NOT a member of NT AUTHORITY\BATCH; rather, it is a member of NT AUTHORITY\SERVICE instead. NT AUTHORITY\SERVICE, as you might suspect, is another "special identity group" which indicates the user/process is accessing the system as a service. The same is true if we run the app pool as ApplicationPoolIdentity.
BTW, more on these "special identities" (NT AUTHORITY\BATCH and NT AUTHORITY\SERVICE) can be found here:
So with the above results, we can confirm there is an internal difference in how these "virtual accounts" (gMSAs and IIS app pool identities) are interacting with the system when compared to traditional domain accounts. This difference accounts for the discrepancy in permission requirements. I would presume the gMSA thus would require "log on as a service" rights (which mine already had) in order to run the IIS app pools, rather than "log on as a batch job" as is normally required. I did not get a chance to test with either IIS nor a scheduled task when the gMSA did not have "log on as a service" rights - I would expect it to fail, but it's late so I'll leave that for another day =)
Hope this helps.
Edited after further testing to convert comment to an answer and add more details.
Thank you @rpi_dwillis77 for the thorough answer! It's been a while since I thought of this tbh but I liked the answer and the recap.
