I'm having trouble trying to get a scheduled task to work as a group managed service account (gMSA). The Scheduled Task runs a powershell script that gives a certain user account Send As permissions to all users mailboxes that are members of a security group.
The source script is here:
$UserMailboxes = @(Get-ADGroupMember "SecurityGroup" | ForEach-Object { get-mailbox $_.distinguishedname })
$UserMailboxes | Add-ADPermission -User "SendAs.User" -ExtendedRights "Send As"I know the script works because I have run this using my admin account and it applies the necessary permissions, so i am putting this down to a permissions issue for the gMSA. The gMSA i am using to run this scheduled task has the following exchange permissions:
Organization Management
Recipient Management
Records Management
As far as i am aware Organization Management and Recipient Management are the two roles required to acheive what i'm after. When i run the script (using the scheduled task) as my gMSA i get the following output:
Add-ADPermission : Active Directory operation failed on domaincontroller.domain.com. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 At \\Server\Share\SendAsScript.ps1:4 char:18 + $UserMailboxes | Add-ADPermission -User "SendAs.User" -ExtendedRights "Sen ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : WriteError: (3:Int32) [Add-ADPermission], ADOperationException+ FullyQualifiedErrorId : [Server=MAILSERVER,RequestId=0853f01c-96ab-407e-9b60-041fa0c3b7d4,TimeStamp=18/12/2019 09:38 :40] [FailureCategory=Cmdlet-ADOperationException] FA926979,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
Does anyone have any suggestions what could be the issue here? I'm coming to the conclusion that perhaps it's not possible for a gMSA to run the commands i require, if anyone could clarify that as well it would be equally as helpful!
Thanks