The issue revolves around a Group Managed Service Account (gMSA) not being able to execute a PowerShell script through Task Scheduler, despite the gMSA and script functioning correctly in manual execution scenarios. A PowerShell script that uploads local files to SharePoint Online using PnP.PowerShell with app-only certificate authentication works as expected when manually executed by an admin user but fails silently when run via a scheduled task under a gMSA. This discrepancy suggests issues with permissions, environment configuration, or compatibility between the Task Scheduler and the gMSA setup. Engineers and sysadmins need to ensure that all configurations for the gMSA are correct, including its installation on servers, access rights to certificates, and proper module installations. The root cause likely involves missing or misconfigured permissions within the scheduled task settings or differences in execution environment between manual and automated runs.
- Windows Server
- Task Scheduler
- PnP.PowerShell module
- Ensure that the Group Managed Service Account (gMSA) is installed on all relevant servers using the Add-ADComputerServiceAccount cmdlet.
- Verify that the server hosting the scheduled task is listed in PrincipalsAllowedToRetrieveManagedPassword by running Get-ADObject -Identity 'CN=SERVERNAME,CN=computers,DC=example,DC=com' | Select-object PrincipalsAllowedToRetrieveManagedPassword
- Confirm that the gMSA has read access to the certificate private key using certutil.exe or similar tools.
- Ensure PnP.PowerShell module is installed for AllUsers and available in the environment where the scheduled task runs. Use Install-Module -Name PnP.PowerShell -Scope AllUsers command.
This issue impacts homelab stacks that rely on Task Scheduler with gMSA to automate tasks involving PowerShell scripts. Specifically, any setup using Windows Server, Task Scheduler with a gMSA, and the PnP.PowerShell module may face similar issues unless properly configured.