Author Posts

March 22, 2018 at 6:10 pm

I'm having trouble with a script that runs as a scheduled task under a group managed service account. Everything works fine under an account or with a regular account assigned to the task, but when using the system account or a group managed service account I'm having trouble assigning and using values that should be being assigned to a variable.
The variable is assigned as:
$WebRequest = Invoke-WebRequest -Uri “some web address" -Credential $credential

Which returns something like:
StatusCode : 200
StatusDescription : OK
Content : good
RawContent : HTTP/1.1 200 OK
Connection: keep-alive
X-Varnish: 1713844308
Age: 0

I'm sending an email with the info, but it is empty if the scheduled task is run under the group managed service account or the local system account. The task runs and the email is sent, but anything I try to use, like ($Webrequest).StatusCode, is empty. If I assign a value to $WebRequest manually before the command is run, I'll get the manually assigned value as if it's never run, but if I use a Uri of a webserver I can see the logs of I see the connection. Other manually assigned values from other variables are available as well. I'm sure there's a reason this doesn't work, but I can't find it and would really like to know. Has anyone seen something like this before? This is on a domain controller if that makes a difference, but the same thing happens on a non-DC.

April 15, 2018 at 3:41 pm

Those accounts are deliberately pretty limited in what they can do, and the local system account as an example has no authority off-machine. Like, anything it does off-machine will appear as anonymous/unauthenticated. It's likely Invoke-WebRequest is failing for that reason.