Configuring gMSA account to run ApexSQL Audit processes (4242477)

Group Managed Service Account as a feature provides automatic password management within a domain and simplifies service principal maintenance. The periodically changed password will be automatically updated and retrieved from the domain controller, which adds to security techniques that are commonly followed nowadays.

To completely utilize this feature to run ApexSQL Audit components, requires both central and audited service to run under the specific gMSA account. In below text we will distinctively describe how to configure each service to run under gMSA principal.

Central process

To configure central process using gMSA account, the application installation has to be performed.

ApexSQL Audit installer can be instantiated either:

1. By running ApexSQL Audit.exe installer file
2. Running ApexSQL.Audit.installer.exe file from the installation path if the product is previously installed already, the default location path is “C:\ProgramFiles\ApexSQL\ApexSQL Audit\ApexSQ.Audit.Installer.exe”

No matter the choice, ApexSQL Audit central configuration dialog will prompt for the setup input.

To complete the installation:

1. In the Credentials configuration group select “Group managed service account” option
2. Type the Username for the gMSA account
3. Click OK

Shortly after the installation processing, the central background process will be started and running under the used account:

Distributed (remote) process

Audited (distributed) agent configuration is much likely easier and faster to configure through the application interface.

To complete the process:

1. Run ApexSQL Audit application interface
2. Switch to the Configure tab in the main application ribbon menu
3. Highlight the SQL server instance for the account change and click Edit
4. In the Auditing agent properties dialog choose the “Group managed service account” option in the Credential section
5. Type the account username
6. Click OK

The same dialogue will be available if the Add server option is clicked to configure new instances for auditing.

Right after the newly created process “ApexSQL Audit Processor Distributed” will run under the configured account:

With the explained easy setup, the gMSA account will be utilized to run auditing processes which, in long term, will prevent interruptions of those processes due to password changes for regular accounts.