Using Standalone Managed Service Accounts for Scheduled Tasks

Page content

Managed Service Accounts was a feature introduced in Windows Server 2008 R2 that gave us service account with automatic password management, meaning that the passwords for these account will be automatically changed regularly without any human interaction. The downside in Standalone Managed Service Accounts is that they can only be used from computer. This is solved with Group Managed Service Accounts that were introduced in Server 2012.

In Windows Server 2012, these accounts can also be used as RunAs account on scheduled tasks but it can’t be configured in GUI.

Use powershell to create and install the service account, create a new task in the GUI using a regular user account as a run-as account and then change the run-as account to the managed service account by using schtasks.exe.

First to create a managed service account on a Server 2008R2 Domain Controller run (tha SamAccountName can be maximum 14 characters long):

New-ADServiceAccount -SamAccountName "MyRunAsAccount" -Name "MyRunAsAccount" -Description "Account used for running MySchedTask on SERVER01"

and then give SERVER01 access to the password of this account by running:

Add-ADComputerServiceAccount -Identity "SERVER01" -ServiceAccount "MyRunAsAccount"

Add the account to the required groups to grant sufficient permissions for the intended purpose. Note that Managed Service Accounts can’t be given direct

On SERVER01 (that has to be running Server 2012/Windows 8 or newer and have the powershell AD-module installed), install the service account by running:

Install-ADServiceAccount -Identity "MyRunAsAccount"

Now create a new scheduled task on SERVER01 using the GUI and specifying a regular user account as a RunAs account then use the command-line tool schtasks.exe to change the RunAs account to the newly created Managed Service Account like this:

C:>schtasks /Change /TN ScheduledTaskName /RU "domainMyRunAsAcount$" /RP ""

If you get an error message like this, try with a shorter account name, my experience is that the maximum length is 15 chars including the $-sign.

ERROR: The filename or extension is too long.

This works even if there are no 2012 Domain Controller in the domain but that limits the account to be used by one computer only.

Installing a domain controller running Windows Server 2012 in the domain gives the possibility to use Group Managed Service Accounts which makes it possible to use one account from more that one server.

For further reading, see Introducing Managed Service Accounts and Group Managed Service Accounts Overview

comments powered by Disqus