We just upgraded from TFS 2017 to ADS 2020. The ADS runs in one domain and the build server runs in another. All appropriate cross-domain permissions are set up - these domains talk all of the time every day.
I had a service account created for the build server from the ADS domain for the ADS pipeline to run under (even thought the machine is on the other domain) and when we first tried this I got errors that the build didn't have access to write to the registry. This despite the service account (which again is on a different domain than the build server) is in the Administrators group on the build server. At some point that error went away, but now I get an error trying to run a PowerShell script from the build.
Just to summarize, Build Server on Domain1, ADS Server on Domain2, Service account running pipeline is on Domain2, but is part of the Administrators group on Build Server (Domain 1). Pipeline runs fine up until it tries to execute a PowerShell script and then gets an error saying the permissions aren't there to run a script.
Hope this all makes sense.
