Shulou(Shulou.com)06/02 Report--

Background

Beans need to set up a scheduled task and run it with a service account. The traditional practice is to create a service account, configure the corresponding permissions, and then set the password to never expire. Such a security hazard is that the password has not been changed. Microsoft launched MSA (managed Service account) in Windows 2008, which inherits the characteristics of computer accounts and automatically changes passwords every time without the intervention of managers. But at that time, MSA did not support multiple hosts, nor did it support scheduling tasks, let alone third-party software, so it was not very practical. After Windows 2012, Microsoft launched a new version of gMSA, which can finally support multiple hosts and scheduled tasks. Each password change in gMSA is managed by the KDS service on DC, and a random password is generated through a complex algorithm through a root key id, timestamp and gMSA's SID at a time. Note that the g in gMSA here stands for group, which means that we need to assign a security group to this hosting account, and all computer accounts in the security group can use this hosting account.

Specific operation 1. Create a KDS Root Key

Be careful! After creation, you need to wait 10 hours for all DC to synchronize

two。 Create a security group, then add the computers to be managed, and restart the corresponding computers

3. Create a gMSA account

After the creation is successful, you can see the corresponding account under the Management Service Accounts container.

4. Install gMSA on the host

Log in to the corresponding host and execute the following command

The basic installation is complete. Next, you can use this gMSA account to configure services or schedule tasks.

5. Configure scheduled tasks

One disgusting thing is that the graphical interface does not support the configuration of gMSA. If he looks up the corresponding account directly, he will mistakenly report that it does not exist.

The correct way is to realize the whole process through PowerShell.

F = "c:\ scripts\ syncErrornotification.ps1" # The first command uses the New-ScheduledTaskAction cmdlet to assign the action variable $A to the executable file tskmgr.exe$A = New-ScheduledTaskAction-Execute "C:\ Windows\ SysWOW64\ WindowsPowerShell\ v1.0\ powershell.exe"-Argument "- noexit-ExecutionPolicy Bypass-File $F" # The second command uses the New-ScheduledTaskTrigger cmdlet to assign the trigger variable $T to the value AtLogon$T = New-ScheduledTaskTrigger-daily-At 7am#The third command uses the New-ScheduledTaskSettingsSet cmdlet to assign the settings variable $S to a task Settings object$S = New-ScheduledTaskSettingsSet-Compatibility Win8-ExecutionTimeLimit 3600-ThrottleLimit 2#The fourth command assigns the principal variable to the New-ScheduledTaskPrincipal of the scheduled task Domainname\ gMSA_account$$P = New-ScheduledTaskPrincipal-UserId omnicom\ svc-it$-LogonType Password-RunLevel Highest#The fifth command sets the description varible to $D for the task definition$D = "Office365 Sync Errors" # Register the scheduled taskRegister-ScheduledTask test-Action $A-Trigger $T-Principal $P-Description $D

The host also needs to be granted the right to execute the script. Click gpedit.msc to add permission for the corresponding logon as batch job.

If you need additional permissions, such as local administrator or domain administrator, add them yourself.

6. test

The step 5 script creates the following scheduled tasks, but this is an interface that you cannot implement with UI

Actually run, 1 minute later I received the e-mail, success

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.