We have a PowerShell script that will enumerate the members of a specified AD group and then will create a text file with login ID and Name. The script will when create an email to Managers informing them of the membership of the AD Groups that manage there application/service. The issue we are having is with the following line:
Get-ADGroupMember -Identity $ADGroupName -Recursive |
Get-ADUser -Properties * | Select-Object employeeID, name |
Sort-Object name | Out-File -FilePath $Attachment
This will correctly create the file with the requested information when a user runs the script. The issue is when we attempt to run this script via a Scheduled Task using a gMSA. When running this under the gMSA, a zero-byte file is created. Changing the file creation line to:
Get-Service | Out-File -FilePath $Attachment
creates a file as expected so the issue appears to be the Get-ADGroupMember. Can a gMSA be used to query AD like this?
Our internal group that manages the MSA/gMSA accounts informs us everything should be working correctly. Our Security Group is preferring everything that needs some type of user context to be run via MSA/gMSA, since password management is not an issue.
The group that manages the gMSA/MSA accounts 'fixed' the issue by placing the gMSA in the Domain Users group. It looks like the Get-ADUser and Get-ADgroup command work without the gMSA in the Domain Users group but Get-ADGroupMenber requires it.