Managed service account for a scheduled task as simple as possible

This will show you how to install a managed service account on a domain joined computer to run a scheduled task. It will not explain how this technology works and will be limited to one computer (further information). There are managed service accounts and group managed service accounts. We will cover the managed service account (the -RestrictToSingleComputer parameter below.).

Why do you want to have a managed service account? You will never need to change the password of the account because it gets changed periodically. But the best part is that you do not need an actual user account for your script ever again.

Table of contents

Commands on the Domaincontroller

I prefer to get the identity for the following commands with “Get-Adcomputer” in order to check if the computer really exists.

$Identity = Get-Adcomputer -identity MyTargetComputer

Pass $Identity to the New-ADServiceAccount, after this command you should be able to see the object in the “Managed Service Accounts” OU. If not make sure to enable the Advanced Features in Active Directory (View -> Advanced Features).

New-ADServiceAccount -Name svc_scriptrunner -Enabled $true  -RestrictToSingleComputer

Now the only thing missing is the connection to your computer object.

Add-ADComputerServiceAccount -Identity $identity -ServiceAccount svc_scriptrunner

Commands on the computer needing a managed service account

To use MSA you need to install the Active Directory module for Windows PowerShell.

After that, you open a PowerShell session (in administrator mode) and run the following commands. If you had a open session you need to close it and start it or manually import the newly installed module. If this fails check if port 9389 is open, because Active Directory Webservice needs that one.

Import-Module ActiveDirectory
Install-ADServiceAccount -Identity svc_scriptrunner

Set the created user as run as user for you task

Now the only thing missing is to set the running user to be our newly created svc_scriptrunner. Create a scheduled task as usual and then run the following command in cmd.exe to assign svc_scriptrunner to the task. Run one of the following methods in an elevated shell.

Method 1

This method some times throws the following error “Task Scheduler failed to start “\Daily CRL Copy” task for user “Domain\svc_scriptrunner$”. Additional Data: Error Value: 2147942402.” if that one fails try Method 2 below.

schtasks /Change /TN TaskName /RU "svc_scriptrunner$" /RP ""

Method 2

This method is more complicated but works in most of the cases.

$action = New-ScheduledTaskAction -Execute powershell.exe  -Argument "-file C:\Script\MyScript.ps1 -executionpolicy bypass"
$trigger = New-ScheduledTaskTrigger -Once -At 12:00 -RepetitionInterval (New-TimeSpan -Hours 6) -RepetitionDuration (New-TimeSpan -Days 1)
$principal = New-ScheduledTaskPrincipal -UserId svc_scriptrunner$ -LogonType Password 
Register-ScheduledTask "Copy CRL Task" -Description "Copy CRL, this task can not be edited via GUI!" –Action $action –Trigger $trigger –Principal $principal


4 thoughts on “Managed service account for a scheduled task as simple as possible

Add yours

Leave a Reply

Powered by WordPress.com.

Up ↑

%d bloggers like this: