April 28, 2011 at 3:06 pm
Hi All ,
I am assigned the task to install sql servers in our environment .but first we need to decide whether to use only one service account for all the servers or one service account per server.
What is the difference between using same service account on all the server vs seperate service account per server? What is the best Practice usually followed .
Thanks
April 28, 2011 at 3:11 pm
You should use one service account per server.
If you share service accounts, then someone with sysadmin access to one server can gain access to all the other servers.
If you share service accounts, it makes it impossible to change the passwords without taking all the servers down at the same time. If the account is locked out, it will take all your servers down.
April 28, 2011 at 8:52 pm
Hello,
I totally agree with Michael, Well pointed out the issues with shared service account.
Infact it is always a good practice that you get at least 2 service accounts created per instance.
1 for SQl server SERvice and 1 for sql server Agent.
Our sql server jobs runs with the execution context of the sql server Agent account .
And also, we should not just add these service accounts in Administrator groups for ease.
Infact, it is generally recommended to use a lean approach of assigning only those permission which are required for your operations.
I follow this strategy very strictly in my enviornment.
Sachin
April 28, 2011 at 10:24 pm
In an ideal world - yes, having different accounts for each INSTANCE is a better approach. However we all live in the real world and there is often the argument that other tools, scripts, utilities, applications in your environment work easier and better with a common service account.
What you need to do is consider all the variables in your environment with the Pros and Cons of each and strike a balance for you.
There may be some explicit drivers that force you to go one way (e.g. your internal security compliance restrictions) but these balck and white situations are a rarity.
April 30, 2011 at 12:13 am
Use multiple Service Accounts
Different Account for DB Engine or Instance
Different Account for Agent Job
and so on
Regards,
Syed Jahanzaib Bin Hassan
MCTS | MCITP | OCA | OCP | OCE | SCJP | IBMCDBA
My Blog
Regards,
Syed Jahanzaib Bin Hassan
BSCS | MCTS | MCITP | OCA | OCP | OCE | SCJP | IBMCDBA
My Blog
www.aureus-salah.com
May 1, 2011 at 8:14 am
Ideally you should use separate service accounts for different servers and a recommended approach too.
But in real world, with this approach the management becomes complex if you have large no of servers say 400-500 servers.
Well said Martin.....
Thank You,
Best Regards,
SQLBuddy
May 3, 2011 at 2:50 pm
sqlbuddy123 (5/1/2011)
Ideally you should use separate service accounts for different servers and a recommended approach too.But in real world, with this approach the management becomes complex if you have large no of servers say 400-500 servers.
Well said Martin.....
Thank You,
Best Regards,
SQLBuddy
We have never had any problem managing 300+ servers, all with different service accounts. I don't understand why that makes it more complex.
I think having common service accounts for that many servers would be a much larger management problem. If you found the password for a common service account had been compromised, how would you change it without major downtime?
May 25, 2011 at 9:31 pm
We have never had any problem managing 300+ servers, all with different service accounts. I don't understand why that makes it more complex.
Martin was stating each service account per SQL instance. Assuming you've only got SQL Server and SQL Server agent installed, does this mean your environment have at least 600+ service accounts, each for SQL and SQL Agent?
Just curious to know how you manage such large volume of SQL service accounts, especially during password reset period?
Simon
Simon Liew
Microsoft Certified Master: SQL Server 2008
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply