?
Solved

To update SQL service account password by using Active Directory User and Groups program

Posted on 2011-10-30
8
Medium Priority
?
369 Views
Last Modified: 2012-05-12
I have configured a domain user account named SQLService for the SQL server service. The SQLService account is in the Log On As tab of the SQL service in the service panel of the server. My concern now is that I cannot automatically update the password for this SQLService user account. I found that when I updated the password for SQLService account in the Active Directory, the new password would not apply to the passwords set the service panels of the SQL servers in the domain.
Do I have to manually logon to each SQL server and update the password for the SQLService account?

0
Comment
Question by:atlasdev
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 7

Accepted Solution

by:
MrAli earned 1400 total points
ID: 37055029
Yes unfortunately, that is the problem with using service accounts.  Keep that in mind when designing your service plan strategy.  If someone locks out a user, and you have 20 sql servers, do you want all 20 to use the same user name thus be locked out in all servers and have SQL server fail?  I prefer to make each service account on each user different, due to this behavior.
0
 
LVL 12

Assisted Solution

by:NormanMaina
NormanMaina earned 200 total points
ID: 37055170
yes,that's the only solution for now.
0
 
LVL 7

Expert Comment

by:MrAli
ID: 37055174
Some security policies let you get away with setting a service account password 1 time and never changing it.  See if your company does, or if they will invest in a service account password management tool as part of AD suite, not sure if any really good ones exist.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 70

Assisted Solution

by:Scott Pletcher
Scott Pletcher earned 400 total points
ID: 37056770
You should always use the SQL Configuration tool to change SQL account passwords, along with changing it also in AD, of course.

You can leave SQL running (under the old password), you don't have to immediately reboot SQL.
0
 

Author Comment

by:atlasdev
ID: 37058033
This is a security weakness of SQL 2008. I have security policies that I must follow and one of them requires me to change the password of a user account at least once annually.
It seems that if I want to enable SQL 2008 log shipping or other features which require me to use a user account as the service account, I must manually go to each server's config tool to update the password.
0
 
LVL 7

Expert Comment

by:MrAli
ID: 37058118

Atlasdev was asking about SQL Server "Service" account passwords needed to run the engine, not the internal server passwords used by the engine to grant access to objects.  As far as changing internal SQL Server passwords go, there are a lot of best practices, as you mentioned.
0
 
LVL 70

Expert Comment

by:Scott Pletcher
ID: 37059708
MrAli:

When you want to change the password for the domain account that runs the SQL Server service -- or any other SQL Server service, such as Reporting Services -- you should *always* use the SQL Config tool to do that.  Change the Account password in AD, then change it in the *SQL Server Config tool*, *not* in the *WIndows* service tools.


Yes, unfortunately, when the pwd changes, you must go thru that process for changing the pwd in SQL.
0
 

Author Closing Comment

by:atlasdev
ID: 37059775
Basically, I got confirmation that there is no solution of my question.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi all, It is important and often overlooked to understand “Database properties”. Often we see questions about "log files" or "where is the database" and one of the easiest ways to get general information about your database is to use “Database p…
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question