i wanted ask about gMSA and MSA accounts and overall do you create a single account or multiple for each service (Engine, Agent, SSIS, SSAS, SSRS).
Basically i am trying to figure out if I should follow the same design as i have when using Domain accounts.
In additions, would you still use gMSA for a single instance or would you than go for MSA accounts and reserve the gMSAs for Always ON AG?
The reason i am asking about gMSA and MSA is that security at my company is cracking down on service accounts that have non expiring passwords and I am trying to save my self from the calls when the account expires and the servers are down.
Best Answer
Domain user accounts were both over-used, and over-shared.
They were over-shared to reduce the burden of password maintenance. With MSA/gMSA you should provision separate accounts for each service that actually needs a domain account, but that shouldn't be too many because you should be using domain accounts less these days than in the past.
They ware over-used because before the service-hardening work in Windows they actually were a best-practice. But with the adoption of virtual service accounts/per-service SIDs, and the move to virtualization reducing the incidence of large, multi-purpose servers, you should be using the using the default virtual accounts for local permissions, and the computer account for network permissions.
So you should use the default virtual accounts whenever you don't have a specific need for a domain accounts. The specific needs are typically limited to:
You have a cluster and need the same service account on all nodes, or
You have many different services on the same server and don't want to provision network privileges to the computer account.