One of my clients posted a question to me about management of SQL Server service account. Since it was a nice learning for me, I am sharing my discussion via this blog post. Let us see the Best Practices About SQL Server Service Account and Password Management.
- Do I need to have a SQL Service account as a part of Local Administrators or Domain Administrator?
Answer: No, Never! As a best practices SQL Server service should be using a minimally privileged account. We should always avoid running SQL Server services under the contexts of the local system, local administrator or domain administrator accounts. On the other hand, we need to make sure that the SQL Server service account has “full control” permissions on data, log and backup directories for read and write activities.
- How should I change service account and password?
Answer: As per Microsoft documentation, we should always use SQL Server configuration manager to do any modification for SQL Service. Account change and password change, both should be done only via configuration manager.
- Do we need downtime to change service account or password?
Answer: For service account change we need to restart SQL server service. But if we are only changing the password then there is no need to restart the SQL Service.
Keep in mind a bug in SQL Server where if we change the password in clusters on the passive node, SQL services would stop.
https://support.microsoft.com/en-us/kb/972387 (SQL Server Failover Cluster Instance is taken offline when you change the password for the service account on the passive node)
- Why we should not use services.msc?
There are valid reasons for that. As per books online – In addition to changing the account name, SQL Server Configuration Manager performs additional configuration, such as updating the Windows local security store which protects the service master key for the Database Engine. Other tools such as the Windows Services Control Manager can change the account name but do not change all the required settings.
 
I have seen DBA using PowerShell or VBScript do achieve the same remotely. As long as we are calling API provided by SQL Server, there is no difference of using the UI or script.
What method do you use to change account or password for SQL Service?
Reference: Pinal Dave (https://blog.sqlauthority.com)
11 Comments. Leave new
Sql services should be changed from services.msc because that will binaries update in regedit.i am disagree with you.
Nope there are issue u can in replication as well when u start your services with services.msc.Less knowledge is little dangerous to sqlserver u r managing.
Thanks KH
Sure. You can disagree and keep following not so good practices.
When you use the Group Managed Service Accounts (gMSA, as available from Windows Server 2012) you have the advantage of automatic password management and simplified SPN management, including delegation of management to other administrators. The password management is handled by Windows.
See: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)
Is it recommended to run the SQL server instance using a local account or a domain account? does using domain account impact performance of the SQL server by any chance?
Recommendation is to always use a Domain Account (when possible).
Using SQL server
configuration manager only with domain account.
Hi sir,
I am using service account as Domain account on windows failover cluster to start the sql server services.
And the domain account user is in administrators group. is there any issues with this sir?
Can you suggest me on this.
we have got some vulnerability points on this point.
I need your support.
I am having many sql servers to change sql service account.
Is their any way to change service account for all the servers instead of connecting each and every server.