I recently set up a group managed service account to ditch the headache of password rotation. The account creation went smoothly. I was able to set up a service to run as the gMSA, and the account was given "Log on as a service" privileges. I also have some scheduled tasks I need to convert, but whenever I try to grant "Log on as a batch service" or "Create symlinks" privileges (via secpol.msc) to the account I get the following error:
"An extended error has occurred. Failed to save Local Policy Database."
I have tried this on several machines, all with the same result. Is this supposed to be possible, and if so, any suggestions on where to start digging for solutions? All servers are Windows Server 2012 R2 SP0.
Thanks in advance.
Best Answer
Yes, Group Managed Service Accounts can indeed be granted "Log on as a batch job" and "Log on as a service" rights, among others.
From the MS PFE blog:
In fact just go ahead and check out the entire post:
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
Make sure you're specifying the dollar sign in the name as shown.