I've talked with a few colleagues about what might be best practice for using group managed service accounts in our environment.
It seems that ideally, we would create 1 gMSA per service (e.g. SQL Agent service) per server (e.g. SQLDEV01).
This would allow for maximum separation of concerns such that if there is any issue with any service account (compromised, deleted, locked, corrupt, etc) that it would only affect the single service and single server that it is associated with.
One of the only cons to this approach is that there could be A LOT of gMSAs to create. But with that said, once they are created, there is not much need to manage them going forward.
The other issue I'm running into is naming the gMSA (I believe it must be 15 characters or less). It seems extremely difficult to come up with a name that denotes that the account is gMSA, is for a particular service, and for a particular server.
For example a generic name following typical conventions might look like:
- gMSA_SQLDEV01_SQLAGT (20 characters)
It could be shortened to something like:
- gmsaSQLDEV01AGT (15 characters)
The above example is exactly 15 characters with no room to spare for other potentially more lengthy server or service names.
Is there any best practice or ways to handle these situations:
- group managed service accounts with separation of concerns?
- group managed service accounts with long names?