Dashboard RunAs dosen't work when service account is not in the administrator group

I followed the guide for how to run the Powershell Universal with a service account. I use a GMSA-account (Group Managed Service Account), we can call it SvcPSU. SvcPSU is an user with the extra privileges specified in the article below and runs the service Powershell Universal

I created a secret variable with another service account, we can call that account ServicePSUDashboard. When i try to run a dashboard as ServicePSUDashboard i get the error “Dashboard 2; Request failed with status code 500”.
If i put SvcPSU in the administrator group. It workes fine to run the dashboard with the ServicePSUDashboard.

Is there system right missing somewhere? I can’t find anything in the logs.

Product: PowerShell Universal
Version: 2.11.00

Issue mentions that this should be fixed in todays release 2.11.0, but I guess that aint so then?

Error with credentials and schedules.ps1 · Issue #1144 · ironmansoftware/issues (github.com)

another recent thread on the issue here: Error with credentials and schedules.ps1 - PowerShell Universal - Ironman Software Forums

Issues 1144 was a different problem. It was when you created a schedule and passed a credential variable as a parameter.

New-PSUScript -Script MyScript.ps1 -MyCredentialParameter 'ThisIsACredVar' -Cron "* * * * *"

For this particular issue, can you please download a PSU log? In Settings \ General \ Diagnostics you should be able to get it. Hopefully it has a better error message.

Hi @Pewh, I am wondering if there could be a mixup whereby the documentation is referring to standard service accounts which are user accounts (uses Get-ADUser). Here we are talking about Group managed service accounts are different (uses Get-ADServiceAccount). It’s not clear if gMSA are supported by PSU.

@adam, can you confirm if gMSA is supported by PSU?

I know other users are using gMSAs. Personally, I haven’t set one up in a while with PSU. I did get a log from @Pewh but it didn’t provide much information aside from the fact that the dashboard failed to start.

The same thing happens when i run the service as an ordinary user so it is not connected to the GMSA account what I can see.

Hi @Pewh,

Can you confirm if you added the account to “logon as a batch job”? You mentioned that you followed the guide but please double check as that permission is listed separately from the other 3 in the documentation.

1 Like

Yes you need this permission, it is a local group policy.

Hi @DataTraveler
I have verified that the account has the right “Log on as a batch job”
As I wrote earlier it is not related to the GMS Account since I now run it as a ordinary user account with the privileges specified in the documentation.

Hi @pewh,

This is getting kind of lost. It’s not really clear what’s happening and not able to reproduce this. Can you please provide ordered steps from the very beginning on how to reproduce this issue? Everything works fine for me when I follow the documentation so something is different on your end. We need to try to find what the difference (restriction) is that you have on your end.

Can you start from the beginning and provide clear ordered numerical steps to recreate the issue? I’m sure once the issue can be reproduced that Adam will be able to address it. Until then, we are flailing around guessing.

Thank you!