Managed Service Account Naming Convention

A while back I had to help a customer update their naming standard for their Managed Service Accounts, so I thought I would share some of those details.

The DBAs and other administrators had a difficult time determining which service account belonged to which server and to which service. They had a corporate requirement to have separate accounts for each service; for example, one for the engine and one for the agent. Their current naming convention was just to have an incrementing number at the end.

  • SVCSQL1$ = DB engine service
  • SVCSQL2$ = Agent service
  • SVCSQL3$ = Full Text service

This quickly became a nightmare once they started installing multiple instances on the server, because it made it nearly impossible to determine which service account when to which service.

To start with, we came up with a 2-letter suffix for the account name that would describe which SQL service it would be used for.

  • EN = DB engine service
  • AG = Agent service
  • FT = Full Text service
  • IS = Integration service
  • AS = Analysis Service
  • RS = Reporting Service
  • BI = PowerBI Report Server (on-prem)

What this gave us a way to differentiate the service accounts from one another. So, for the first installed instance, we’d have these accounts.

  • SVCSQLEN1$ = DB engine service
  • SVCSQLAG1$ = Agent service
  • SVCSQLFT1$ = Full Text service

This way we know that all the accounts ending in “1” are running a service for the first instance. The second installed instance would follow these names.

  • SVCSQLEN2$ = DB engine service
  • SVCSQLAG2$ = Agent service
  • SVCSQLFT2$ = Full Text service

The next change was to incorporate some part of the server name in the account. Each server had a 2 or 3-digit number in the server name, for example, SVRSQL172. So we just used that number within the account name.

  • SVCSQL172EN1$ = DB engine service
  • SVCSQL172AG1$ = Agent service
  • SVCSQL172FT1$ = Full Text service

For servers that were configured as an Availability Group cluster or a failover cluster (FCI), we used the number from the Windows cluster name. For example, if you have two cluster nodes SVRSQL123 and SVRSQL124 that are joined to the Windows cluster SVRCLU485, we will use CLU485 in the account name. This is because we must use the same SQL service accounts on each node of the cluster. That would give us account names that would look like this.

  • SVCSQLCLU485EN1$ = DB engine service
  • SVCSQLCLU485AG1$ = Agent service
  • SVCSQLCLU485FT1$ = Full Text service

To decode the account:

  • SVC = designates it as a service account
  • SQL = used for a SQL Server
  • CLU = used for a cluster (only used if clustered)
  • 485 = Windows server number or Windows cluster number
  • EN (AG, FT, etc) = designates which SQL service
  • 1 = the first installed SQL instance

Finally, we updated the Description field for each account to add even more details. This was to help other administrators, more than the DBAs. But when looking at the list of Managed Service Accounts through AD Users and Computers, it’s clear to see what account is used for which service. See the example picture below from my lab.

There are hundreds of ways to name service accounts. This is just one example, but I thought it was interesting enough to share.

Additional reference:
https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts

Share