When creating the PSSC file for a JEA endpoint you can specify this parameter to say what groups the virtual account should be in, but I can't seem to get it to work with domain groups. In my example I have allowed Get-Acl, and I have a shared folder which mytestgroup has permissions to. But when I specify mydomain\mytestgroup as a RunAsVirtualAccountGroups and then run Get-Acl mysharedfolder from the JEA session I get access denied – so it seems as though the virtual account is not being added to the group. I can't find any documentation to say whether or not this parameter works with domain groups or only local groups on the endpoint.
When you use RunAsVirtualAccount, that account is a local account on the machine where the endpoint is created, so far as I know. You can't add local Windows accounts to domain groups (except on Domain Controllers).
If you need your endpoint to run with domain access, then you would just use -RunAsCredential (with credentials of a domain account that has the necessary access) instead of -RunAsVirtualAccount .
In this case, though (assuming that the JEA endpoint is going onto the server that contains the shared folder), I'd recommend just granting a local group access to the share, and specifying that local group in your PSSC file.
Thanks, that makes more sense. I had tried using the RunAsCredential parameter but it was giving a verification error when trying to register the configuration. However after unregistering everything rebooting and reregistering using RunAsCredential and RunAsVirtualAccount set to $false it is now working as expected with the domain user credentials.