December 15, 2017 at 12:01 pm
We have multiple SQL servers that all currently share a userID for the SQL service as well as have SA access and local Admin rights.
Security hole, I know.
The main problem is that we have SQL processes that move files from one server to another so an individual MSA per server alone won't suffice. And we can't use gMSA's because we still have domain controllers in the 2008 realm.
Is it possible to put all the individual MSA's in a Group and then give that group Local ADmin rights on all the servers to allow SQL to pass files between servers.?
December 20, 2017 at 4:16 pm
gjryan59 - Friday, December 15, 2017 12:01 PMWe have multiple SQL servers that all currently share a userID for the SQL service as well as have SA access and local Admin rights.
Security hole, I know.The main problem is that we have SQL processes that move files from one server to another so an individual MSA per server alone won't suffice. And we can't use gMSA's because we still have domain controllers in the 2008 realm.
Is it possible to put all the individual MSA's in a Group and then give that group Local ADmin rights on all the servers to allow SQL to pass files between servers.?
Yes MSAs can be added to groups like any other account. And as you already know, that is pretty bad for security so if nothing else, I would look at limiting the rights more as they aren't likely to need to be local admins to pass files.
For your reference, Microsoft's FAQ for MSAs addresses adding them to groups:
Managed Service Accounts Frequently Asked Questions (FAQ)
Sue
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply