JEA RunAsVirtualAccountGroups

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Henry Buckle Henry Buckle 8 months, 3 weeks ago.

  • Author
    Posts
  • #36659
    Profile photo of Henry Buckle
    Henry Buckle
    Participant

    When creating the PSSC file for a JEA endpoint you can specify this parameter to say what groups the virtual account should be in, but I can't seem to get it to work with domain groups. In my example I have allowed Get-Acl, and I have a shared folder which mytestgroup has permissions to. But when I specify mydomain\mytestgroup as a RunAsVirtualAccountGroups and then run Get-Acl mysharedfolder from the JEA session I get access denied – so it seems as though the virtual account is not being added to the group. I can't find any documentation to say whether or not this parameter works with domain groups or only local groups on the endpoint.

  • #36661
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    When you use RunAsVirtualAccount, that account is a local account on the machine where the endpoint is created, so far as I know. You can't add local Windows accounts to domain groups (except on Domain Controllers).

    If you need your endpoint to run with domain access, then you would just use -RunAsCredential (with credentials of a domain account that has the necessary access) instead of -RunAsVirtualAccount .

    In this case, though (assuming that the JEA endpoint is going onto the server that contains the shared folder), I'd recommend just granting a local group access to the share, and specifying that local group in your PSSC file.

  • #36677
    Profile photo of Henry Buckle
    Henry Buckle
    Participant

    Thanks, that makes more sense. I had tried using the RunAsCredential parameter but it was giving a verification error when trying to register the configuration. However after unregistering everything rebooting and reregistering using RunAsCredential and RunAsVirtualAccount set to $false it is now working as expected with the domain user credentials.

You must be logged in to reply to this topic.