Automated creation, configuration, and validation of Group Managed Service Accounts (gMSA) for SQL Server Database Engine and SQL Server Agent services.
This PowerShell solution streamlines the deployment of Microsoft Active Directory Group Managed Service Accounts for SQL Server environments. It automates the entire lifecycle, from Active Directory preparation and KDS Root Key validation to gMSA creation, host authorization, installation, and verification on SQL Server nodes.
The solution is designed for both standalone and clustered SQL Server deployments and follows Microsoft's recommended approach for service account management. By using gMSA accounts, organizations can improve security, eliminate manual password management, simplify service account maintenance, and support compliance requirements.
The automation operates in two phases:
Domain Controller Phase – Prepares Active Directory, validates KDS infrastructure, creates security groups, and deploys gMSA accounts.
SQL Server Node Phase – Installs and validates gMSA accounts on SQL Server hosts.
Key Capabilities
- Automated KDS Root Key validation and creation
- Active Directory security group creation and management
- SQL Server host registration for gMSA password retrieval
- SQL Server Engine gMSA deployment
- SQL Server Agent gMSA deployment
- Existing service account cleanup and recreation
- Automated installation of gMSAs on SQL Server nodes
- Service account validation using Test-ADServiceAccount
- Multi-server and cluster-ready deployment model
- Consistent implementation of Microsoft security best practices
Functions
- Ensure-ADModule – Validates and installs Active Directory PowerShell components.
- Ensure-KdsRootKey – Verifies or creates the KDS Root Key.
- Ensure-GmsaHostGroup – Creates and manages the SQL Server host security group.
- Remove-OldServiceAccountIfExists – Removes legacy or existing service accounts.
- New-CleanGmsa – Creates SQL Server Engine and Agent gMSA accounts.
- Install-And-Test-Gmsa – Installs and validates gMSAs on SQL Server hosts.
- Assert-NoLegacyCommandInScript – Ensures deprecated commands are not used.
Benefits
- Eliminates manual password rotation
- Reduces privileged account exposure
- Simplifies SQL Server service account administration
- Improves security and compliance posture
- Standardizes SQL Server deployments across environments
- Supports high-availability and clustered SQL Server infrastructures
