Change SQL Server service account without restarting SQL Server

Question

For security reasons, we want to change the password that starts the SQL Server service everyday. Is it possible to do this without restarting the service?

If it is possible will the changes be immediately applied, or will I eventually need to restart the service to get the new password?

We were thinking of doing this change in the services option of the windows OS and not in SQL Server configuration manager.

Answer 1

I would not go through group managed service accounts initially, depending on the issue, environment you are dealing with.

I am not sure what version of sql and the type of security issues you have, but from previous experience permissions to sql server service and agent accounts take affect after a restarting of the service.

I would rather use the sql server configuration manager whenever possible

If you are concerned about security you most definetely need to be able to restart this service, and if that is not possible, then your environment is asking for a good availability group configured, so you are always on, because you need to bear in mind you need patching your servers on a regular basis, and that requires reboots most of the time.

Please review what is preventing your from restarting and address that with management.

Answer 2

...for security reasons we want to change the password that starts the sql server service everyday

I realize this is probably outside your control, but it's worth mentioning that this is not a good idea for security. It's a high process overhead for your organization (even if it's generally automated in some way), and it will likely lead to increased chances of some kind of password breach.

Think about it like this: every time you open the bank vault, there is a risk that some malicious person can get inside. Would you rather open the vault every single day and change the locks, or open it occasionally and keep a really big lock on it (long, secure password).

Accessing the password every day (to change it, and then apply it to the service account) is like this. You should very a very secure password over changing the password frequently.

---

If you are required to do this, though - why don't you want to use SQL Server Configuration Manager? That is the recommended method per the docs:

SQL Server Configuration Manager - Changing the Accounts Used by the Services

Always use SQL Server tools such as SQL Server Configuration Manager to change the account used by the SQL Server or SQL Server Agent services, or to change the password for the account. In addition to changing the account name, SQL Server Configuration Manager performs additional configuration such as setting permissions in the Windows Registry so that the new account can read the SQL Server settings. Other tools such as the Windows Services Control Manager can change the account name but do not change associated settings. If the service cannot access the SQL Server portion of the registry the service may not start properly.

Emphasis added by me. So doing this outside of the service can cause reliability issues with your database engine.

Regarding avoiding a restart, using the configuration manager accomplishes this goal as well:

As an additional benefit, passwords changed using SQL Server Configuration Manager, SMO, or WMI take affect immediately without restarting the service.

Of course, as other answers have mentioned, you should be allowed to restart the service from time to time (Windows Updates, etc).

Answer 3

for security reasons we want to change the password that starts the sql server service everyday

Why is sql server service restarted everyday ? Just before you restart the service, you can use dbatools - Update-DbaServiceAccount to update the password for the sql server service account.

e.g. Below Changes the current service account's password of the service MSSQL$MYINSTANCE to 'Qwerty1234'

$SecurePassword = ConvertTo-SecureString 'Qwerty1234' -AsPlainText -Force
Update-DbaServiceAccount -ComputerName sql1 -ServiceName 'MSSQL$MYINSTANCE' -SecurePassword $SecurePassword