Most security standards ask administrators to periodically cycle passwords, like those for service accounts. To ease that burden, Microsoft released the Managed Service Accounts (a.k.a., MSA) with Windows Server 2008 R2 and Windows 7. MSA is an active directory account associated with a specific computer on the domain. The account’s password is complex and managed by the domain.

For this example, I’m using the old sandbox.local domain. I’ve got two machines on the domain running Windows Server 2016: a DC named sbx-dc01 and a server named sbx-misc-dbs02. sbx-misc-dbs02 is doing to be hosting a default instance of SQL Server. We’ll be creating an MSA named svc-dbs02-eng01, installing it on our database server (sbx-misc-dbs02), and configuring SQL Server to run as that user.

Execute the following instructions to provision the MSA and configure a SQL Server instance to use it:

Before You Start: This instructions in this section need to be run by someone with rights to create and install an MSA.

1. From the target machine, launch a PowerShell terminal as an Administrator.
2. Update and run the following command script.

New-ADServiceAccount -Name <service-account-name> -DNSHostName <fully-qualified-service-account-name> -Enabled $True
Add-ADComputerServiceAccount -Identity <target-machine-name> -ServiceAccount <service-account-name>
Set-ADServiceAccount -Identity <service-account-name> -PrincipalsAllowedToRetrieveManagedPassword <distinguished-name-target-machine>
Install-ADServiceAccount -Identity <service-account-name>

Before use, change anything in angle brackets to relevant values for your test, for example:

New-ADServiceAccount -Name svc-dbs02-eng02 -DNSHostName svc-dbs02-eng02.sandbox.local -Enabled $true
Add-ADComputerServiceAccount -Identity sbx-misc-dbs02 -ServiceAccount svc-dbs02-eng02
Set-ADServiceAccount -Identity 'svc-dbs02-eng02' -PrincipalsAllowedToRetrieveManagedPassword 'CN=SBX-MISC-DBS02,CN=Computers,DC=sandbox,DC=local'
Install-ADServiceAccount -Identity 'svc-dbs02-eng02'

• 

NOTE: We call Test-ADServiceAccount in the screen shot above. While not required, you may call this commandlet to verify the account was installed. This especially helpful if you’re creating the account for someone else to use.

3. Open SQL Server Configuration Manager.
4. Select SQL Server Services from the left pane, right-click the service you want to configure on the right pane, and select Properties.
5. Select the Log On tab.

6. Enter the service account name (domain\accountName) followed by a dollar sign ($) into the Account Name field. Do not include a password.
7. Click Apply.

8. Click Yes when prompted to restart the service.

The SQL Server service should start successfully, and when it does, your instance should be running as the MSA you created.

One caution, remember to make the service account assignment from SQL Server Configuration Manager. Configuration Manager assigns various permissions to the account allowing it to successfully run the SQL Server process.