Does a Managed Service Account require a domain

Create a group to encapsulate the users (Local-Admins-Tablets) and add them to this group

Create a sub-OU of the current workstations OU and put the tablets in here (Workstations\Tablets)

Create a GPO (Local-Admins-Tablets-Policy) and link it to the Workstations\Tablets OU

In the GPO, set the following:

• Comp Config - Policies - Windows Settings - Security Settings - Restricted Groups
• Right click, Add Group
• "Administrators", OK
• Members of this Group: myDomain\Local-Admins-Tablets

Reboot the PCs, and done.

Bear in mind that setting Restricted Groups will overwrite the machines existing list of local Administrators. If you have other users/groups in there already, you will need to add them to this policy too. Other examples would be myDomain\Domain Admins etc

EDIT: Oh, and change the filtering on the GPO and add Domain Computers. The easiest way to do this is to use the Group Policy Management MMC snapin (you can get this from the Remote Server Administration Tools from Microsoft)

@Tom pointed me in the right direction, I think. Windows Server 2008 R2 introduced the idea of Managed Service Accounts and Virtual Service Accounts. This feature appears to be what I was looking for in eliminating the management of passwords.

Check out Scott Forsythe's post Managed Service Accounts (MSA) and Virtual Accounts and TechNet's Service Accounts: Step by Step Guide for more information.

Here is a side by side comparison of Managed Service Accounts vs. Virtual Accounts.

The Achilles heel of Managed Service Accounts is that they are limited to 1 computer for some reason? This doesn't allow me to scale out and forces me back into the traditional service account model where I am responsible for the service account. If I have to do that, then adding local accounts (with random passwords, or even machine account) to a particular AD group and map that to Sql Roles still seems to work? I really would like to have someone with ops experience help me understand why that is bad.

I don't understand the implication of not allowing the machine account network access as long as I am securing that node via other means. E.g. allowing only outbound service calls to known endpoints via firewall, or some other means?

Otherwise, Managed Service Accounts and Virtual Accounts seem to be functionally the equivalent of what I was looking for.