Cannot create group when scripting using New QADGroup cmdlt in the context of gMSA account
说明
There is a requirement to run a PowerShell script using the ActiveRolesManagementShell module that will manage groups, including groups creation, and will run as a scheduled task in the context of gMSA account type. ARS required ACLs have been granted to the OU for the specific gMSA account, the account can successfully connect to ARS instance, query objects, add group members but it fails with "Access Denied" when creating a group object. The same script command New-QADGroup with exactly the same parameters works in the context of user account with the same permissions granted.
原因
An gMSA account needs to be able to read ManagedBy group owner attributes.
解决办法
Apply at the domain level or OUs where the ManagedBy group Owners are located the "Read All Properties" ACL for all object classes for the corresponding gMSA account.