What should I consider after changing SQL logon account to sMSA for each service. In terms of permissions to other drives and servers.

Eudias Kifem 20 Reputation points
2023-02-06T14:27:12.4633333+00:00

I want to migrate SQL logon accounts from virtual accounts to stand alone Managed Service Accounts. When I tested, some backup jobs started failing due to insufficient permissions in the backup location. Where do I give permissions to sMSAs to access drives on other servers. AD or Server or both. Note: I use different sMSAs for every service.

Your response will be helpful and links to read from too. Thank you.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,765 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,178 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,906 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CosmogHong-MSFT 23,321 Reputation points Microsoft Vendor
    2023-02-07T03:15:58.92+00:00

    Hi @Eudias Kifem

    Always run SQL Server services by using the lowest possible user rights. Use the least privileged model, and grant the sMSA only the rights and permissions it requires to run its services. If you're unsure of the required permissions, consult the service creator.

    sMSAs can be used on a single server only. Use a gMSA if you need to use the account across servers.

    Refer to this article: Secure standalone managed service accounts.

    Best regards,

    Cosmog Hong

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our Documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Thameur-BOURBITA 32,586 Reputation points
    2023-02-07T10:58:47.4866667+00:00

    Hi @Eudias Kifem

    Where do I give permissions to sMSAs to access drives on other servers. AD or Server or both. Note: I use different sMSAs for every service.

    Unfortunately is not possible because sMSA can be used in the case when you have one or more services deployed to a single server :

    In this case you can try with GMSA it it's supported by your application: Getting Started with Group Managed Service Accounts.
    If GMSA is not supported , in this case you have to keep the old service account.

    Please don't forget to mark helpful answer as accepted