Running a script with gMSA
Product: PowerShell Universal Version: 5.4.1 IIS Install/SQL Express AppPool ID: LocalSystem
Greetings, first post here!
I am struggling through the initial learning curve of PSU and trying to use a gMSA to run a script. I’m experienced in the ways of gMSA, so it’s been properly created and the local machine has rights to retrieve the password. The account has both “Log on as a batch job” and “Log on as a service” rights.
I’ve registered the gMSA as a PSCredential variable (DOMAIN\user$), and checked the box for “Password not required”. No test can be performed on the credential, as for standard accounts. I assume this is a limitation of gMSAs.
I can select the credential in the script properties. All good. But when running the script, I get:
Error executing job: Failed to login user (1326). System.ComponentModel.Win32Exception (1326): The user name or password is incorrect.
In the Windows Security Log, I see confirmation that IIS is initiating the logon, but finding “Unknown user name or bad password”:
Subject: Security ID: SYSTEM Account Name: MYCOMPUTER$ Account Domain: MYDOMAIN Logon ID: 0x3E7 Logon Type: 4 Account For Which Logon Failed: Security ID: NULL SID Account Name: svc_gMSA$ Account Domain: MYDOMAIN Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x1048 Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
The IIS app pool is running under LocalSystem. From the docs I am understanding that if I were to run it under a custom service account, then I could not use alternate credentials.
How does one get this working?
Thank you!
Just to cover a few additional bases:
- forwardWindowsAuthToken is set to “true”
- Using a standard AD account as alternate credentials works fine
- Tried granting additional User Rights in Local Security Policy: Impersonate a client after authentication, Replace a process level token, Obtain an impersonation token for another user in the same session
All Comments (5)
For what it’s worth, I am also having this issue and cannot get GMSA’s to run my scripts. Would love to see a solution for this!
Adam reports that the gMSA issues are solved and will be fixed in the 5.4.4 milestone!
Just confirming this works in 5.4.4.
Hi there!
It seems that the issue is back.
I tried to run scripts (simple script with whoami) with gMSA which I created PSCredential for using the DOMAIN\user$ format and also checked the box for “Password not required”.
Tried this in version 5.6.13 and in 2026.1.6.0.
But I get the same error as @matthew14 ..
Error executing job: Failed to login user (1326). System.ComponentModel.Win32Exception (1326): The user name or password is incorrect.
The rights for log on as a batch job and getting pw on the server are granted.
Any hints for a solution or a version that fixes the issue again?
Thanks!
Hi all
In addition to my message above:
My PowerShell Universal Service runs as gMSA.
The account is member of the group that has permission to retrieve the other gMSA (I try to run scripts as) password.