EdVassie (2/13/2015)
If you have any SQL 2012 or above instances running on Windows 2012 or above then you really should look at using Group Managed Service Accounts, at https://technet.microsoft.com/en-gb/library/hh831782.aspxgMSAs have the normal MSA advantage of not needing any password management, but can also be used for clusters and on multiple servers.
It has long been best practice that each SQL Service on each server should have its own service account, in order to tailor privileges to each service, to stop contagion if a password gets misused, and to simplify the process of password change. IMHO gMSAs change this for a lot of organisations. There are no knowable passwords to be misused and Active Directory deals with password change automatically. If you have high security needs such as HIPAA or PCI you still need separate accounts for everything, but organisations with lower security needs can much more safely consider one account per service to be used on all instances. Even the low-security approach of one account for all services everywhere has got a lot safer if the account is a gMSA.
Nice idea and I appreciate the pointer, but we're just now standing up our first SQL2012 servers, and because one of our security tools doesn't work with Server 2012, any deployments of that have been put on hold...