We have two kinds of managed service accounts in an active directory configuration.
- Standalone Managed Service accounts(SMSA) provides the functionality of automatic password management. In simplified terms, users do not manage credentials for these users. It automatically changes the password and synchronizes with the services as per the active directory policy. We can use a standalone managed service account for a single server
- Group Managed Service accounts (gMSA) extend the functionality of SMSA. You can use gMSA for multiple servers. We define an AD group and provide permissions for all required servers that can use the credentials of the specified gMSA
To summarize, you get the following benefits using gMSA as the service account for SQL Services.
- Automatic password management
- Administrators do not require to store the passwords in a password vault
- It uses a very complex password(120 characters), and it is not known to administrators as well. It avoids the risk of circulating the password unknowingly as well
- Automatic SPN registration
- You can use them across multiple servers and services
- You can use gMSA on standalone servers or services that run on top of a failover cluster service such as Windows service, app pool, scheduled task
Reference:
Standalone Managed Service Accounts
https://www.mssqltips.com/sqlservertip/5334/using-managed-service-accounts-with-sql-server/
Group Managed Service Accounts
https://www.mssqltips.com/sqlservertip/5340/using-group-managed-service-accounts-with-sql-server/
Comments
Post a Comment