Provisioning sanitized data with SQL Clone and Data Masker. Watch now.

SQL Clone and GMSAa

MarkNMarkN Posts: 3 New member
Our business is moving to Group Managed Service Accounts (GMSAs) as much as possible.  Can SQL Clone Server and agents be run under a GMSA?

Best Answers

  • ChrisHurleyChrisHurley Posts: 54 Silver 2
    SQL Clone ought to work with Group Managed Service Accounts provided that the services are granted the permissions they require (SQL Clone Server needs Windows Auth access to its configuration database, while SQL Clone Agents need admin access on the machines on which they run, full control over locations where you create images, and Windows Auth access as sysadmin to local instances where you want to create images and clones where relevant). You should be able to specify the gMSA username and leave the password blank in their respective setup tools.

    If you run into any problems with this, though, do let us know.
  • John_Zabroski_wamJohn_Zabroski_wam Posts: 10 Bronze 2
    I use it with gMSAs but the install process is a bit klunky.  You ahve to first put in a fake password, then delete the password, then click Submit.  So, Chris Hurley is not entirely correct.



  • MarkNMarkN Posts: 3 New member
    Thanks guys for the feedback.  I'll give GMSAs a go and feed back on this post
  • Ah, thanks for the feedback - is that for the Server or Agent or both which required a fake password? We do have some code that's meant to accommodate gMSAs in credential validation but I'll take a look at it as there might be some incorrect checks somewhere.
  • This seems like something for the Red Gate QA team to investigate, not me.  If I happen to install a new agent I'll let you know, but I try not to mess too much with SQL Clone.
  • MarkNMarkN Posts: 3 New member
    Update:  ChrisHurley and John_Zabroski_wam were correct - Chris in terms of the permissions the GMSA needs, and John in that I couldn't apply the GMSA with blank password at setup of the clone agent.  I used a different account, then when setup was complete, changed the account to the GMSA for the service via the standard Services UI.
Sign In or Register to comment.