Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xScheduledTask - missing option to configure tasks with gMSA accounts. #111

Closed
bielawb opened this issue Oct 31, 2017 · 3 comments · Fixed by #174
Closed

xScheduledTask - missing option to configure tasks with gMSA accounts. #111

bielawb opened this issue Oct 31, 2017 · 3 comments · Fixed by #174
Labels
enhancement The issue is an enhancement request.

Comments

@bielawb
Copy link

bielawb commented Oct 31, 2017

At the moment there is no option to specify gMSA account as ExecuteAsCredential. Attempt to do that (by passing credential w/o password) will result in error:

The password supplied to the Desired State Configuration resource MSFT_xScheduledTask is not valid. The password cannot be null or empty.

Following instructions here it should be possible with the command used inside this resource:
https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/

The main difference I see is that this instructions suggest to use New-ScheduledTaskPrincipal and pass object created by it to -Principal parameter on Register-ScheduleTask command.

As this looks like a different code path from existing one I think it would be best to support it in separate parameter (mutually exclusive with ExecuteAsCredential), but would like to first verify this is not already planned to be addressed in a different manner.

As a result we can't use the resource to configure large portion of scheduled tasks that require gMSA account to run correctly.

@PlagueHO
Copy link
Member

PlagueHO commented Nov 1, 2017

Hi @bielawb - I'm actually working on a change that might enable this as part of Issue 107. However, I've only managed to get my new integration tests (that cover these use cases) to pass using New-ScheduledTaskPrincipal on Windows Server 2016. There seems to be a behavior difference in Windows Server 2012 R2 that I need to resolve.

In short, once I complete the work to move code to use New-ScheduledTaskPrincipal then it should make this change fairly easy. I'll try and work on it over the weekend (unless someone wants to take a look before then (here is my inprogress code complete branch: https://github.com/PlagueHO/xComputerManagement/tree/Issue-107 - tests are failing on Window Server 2012R2 only).

@PlagueHO PlagueHO added enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community. labels Nov 1, 2017
@danielboth
Copy link
Member

danielboth commented Jul 24, 2018

Hi @PlagueHO, is there any progress on this part? Looking at this, this should be rather easy to implement. A gMSA uses the LogonType Password, what we could do is check if the account provided in the ExecuteAsCredential is a gMSA account (ends with dollar sign). Next we can change the code here to not set the password for gMSA accounts:

https://github.com/PowerShell/ComputerManagementDsc/blob/550074c4b1515e822038c54710ee44c275f64adb/Modules/ComputerManagementDsc/DSCResources/MSFT_ScheduledTask/MSFT_ScheduledTask.psm1#L1207

The user of the ScheduledTask DSC resource can then leave the password empty in the ExecuteAsCredential (or set it to anything, since we will ignore it anyway).

Integration tests will be a bit more challenging for this I'm afraid. any ideas?

@PlagueHO
Copy link
Member

Hi @danielboth - this does look like it'll work. But you're right, I don't think there is a way to integration test this because of a gMSA only working on a domain joined machine. I've never found a solution to this, so it is acceptable. If you're up for submitting a PR that would be awesome - I'm a bit snowed under at the moment and trying to get through my backlog of DSC Resource kit work 😁

@johlju johlju removed the help wanted The issue is up for grabs for anyone in the community. label Sep 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement The issue is an enhancement request.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants