Settings to Cluster service domain account and the SQL Server service domain account
When you are setting up SQL Server cluster you should think about security privileges that is required for the Cluster Administrator account and SQL Server services account. Do not attempt to use same account for both the serivces, as it will be single point of failure.
So further you can't take chances with poor security in the enterprise setup, so you have to make sure your permissions settings are correct. To ensure security, both the Cluster service domain account and the SQL Server service domain account should be standard user accounts in Active Directory, set to "User Cannot Change Password" and "Password Never Expires". As I can see sometimes the option for password never expires doesn't tick where you will get the problem after 42 days of setup with the Cluster serivces.
The Cluster Service domain account will need to be a member of the administrators group on each cluster node. The SQL Server service domain account will be granted the following local policy user rights assignments on the cluster nodes (there is no need to add these rights to a group policy):
- Act as part of the operation system
- Allow log on locally
- Bypass traverse checking
- Lock pages in memory
- Log on as a batch job
- Log on as a service
- Replace a process-level token
Further within the Security policy of the server, ensure to grant the SQL Server service account needs to have "Account is Trusted for Delegation" selected and "Account is sensitive and cannot be delegated" unselected