PowerShell – Service account permissions on DNS server – Task Scheduler

Posted: November 20, 2019 in Windows Server

Let’s presume we have some PowerShell script for editing DNS entry, and we need to run it as Scheduled Task under some service account .

Add service account “Log on As Batch Job” right by using GPO:

  • Click START and type Group Policy then click on Group Policy ManagementEither edit the existing GPO that contains existing USER RIGHTS ASSIGNMENT (likely Default Domain Policy) or right click and CREATE AND EDIT a new policy
  • Expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment node
  • Double click Log on as a batch job
  • Click the Add User or Group button and add your service account user

1.PNG

In case you still get “This Task Requires That The User Account Specified Has Log On As Batch Job Rights” warning in task scheduler, add user to Backup Operators group.

Then add user to DNSAdmins group.

If script needs to be executed from remote machine:

Enabling Remote Management

  • add service account to WinRMRemoteWMIUsers__ on the DNS Server/DC.
  • On the Windows desktop, right-click Windows PowerShell on the taskbar, and then click Run as Administrator.
  • On the Windows start screen, right-click Windows PowerShell, and then on the app bar, click Run as Administrator.
  • type the following, and then press Enter to enable all required firewall rule exceptions.

Configure-SMremoting.exe -enable

 

Open Computer Management: start > run > compmgmt.msc

Expand Services and Applications – right click WMI Control – Properties – Security tab – click Security

2.png

Add service account

In the applies to, choose “this namespace and subnamespace” and Click “Allow” for Execute Methods and Enable Account.

If script needs to be run remotely, click “Allow” also for Remote Enable

3.png

For remote access:

In WMI Control expand root – cimv2 – Security

cimv2.png

Add the group WinRMRemoteWMIUsers__ as the principal, then click ok.

In the applies to, choose “this namespace and subnamespace”

Add service account and Click “Allow” for Execute Methods, Enable Account and Enable Remote

Restart Windows Management Instrumentation service

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s