none
How to run a Scheduled Task with gMSA credentials within a container? RRS feed

  • Question

  • I am trying to run a Scheduled Task with gMSA account as explained in the docs additional-group-managed-service-accounts.
    Both the primary and the additional accounts are installed on the host, creadentials spec file is created and it is passed to the container with the run command. To create the task with I use these commands in an entrypoint script:

    $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument ".\\script.ps1"
    $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date)
    $principal = New-ScheduledTaskPrincipal -UserID "domain\user$" -LogonType Password
    Register-ScheduledTask -TaskName "myTask" -Action $action -Trigger $trigger -Principal $principal

    And the results is:

    Register-ScheduledTask : The trust relationship between this workstation and the primary domain failed.
    (15,8):UserId:
    At C:\entrypoint.ps1:11 char:3
    +   Register-ScheduledTask -TaskName "myTask" -Action $action -Trigger  ...
    +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Register-ScheduledTask], CimException
        + FullyQualifiedErrorId : HRESULT 0x800706fd,Register-ScheduledTask

    Thanks!

    Friday, November 18, 2016 5:10 PM

All replies

  • Is your container part of active directory? 
    Saturday, November 19, 2016 2:47 AM
  • I think this is not possible. 

    The closest alternative is to use Service Accounts - what I am trying to do, following the steps from the documentation article.

    Saturday, November 19, 2016 7:52 PM
  • Per article those accounts are only used when process is launched under System account, you probably need to try to create task as "NT Authority\System" instead
    Saturday, November 19, 2016 8:06 PM
  • This is true for the default account which is mapped to the Local System and Network Service accounts. The additional accounts can be mapped to scheduled tasks or services.
    Saturday, November 19, 2016 8:15 PM