Setting Up Windows Service Accounts

SQL Server 2008 Books Online (October 2008)

Each service in SQL Server represents a process or a set of processes to manage authentication of SQL Server operations with Windows. This topic describes the default configuration of services in this release of SQL Server, and configuration options for SQL Server services that you can set during SQL Server installation.

Depending on the components that you decide to install, SQL Server Setup installs the following services:

• SQL Server Database Services - The service for the SQL Server relational Database Engine.
  
• SQL Server Agent - Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks.
  

  Note:
  For SQL Server and SQL Server Agent to run as services in Windows, SQL Server and SQL Server Agent must be assigned a Windows user account. For more information about how to customize account information for each service, see How to: Install SQL Server 2008 (Setup).

• Analysis Services - Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications.
  
• Reporting Services - Manages, executes, creates, schedules, and delivers reports.
  
• Integration Services - Provides management support for Integration Services package storage and execution.
  
• SQL Server Browser - The name resolution service that provides SQL Server connection information for client computers.
  
• Full-text search - Quickly creates full-text indexes on content and properties of structured and semistructured data to provide document filtering and word-breaking for SQL Server.
  
• SQL Server Active Directory Helper - Publishes and manages SQL Server services in Active Directory.
  
• SQL Writer - Allows backup and restore applications to operate in the Volume Shadow Copy Service (VSS) framework.
  

The remainder of this topic is divided into the following sections:

• Configuring Service StartupType
  
• Using Startup Accounts for SQL Server Services
  
• Using Service SIDs for SQL Server Services
  
• Identifying Instance-Aware and Instance-Unaware Services
  
• Reviewing NT Rights and Privileges Granted for SQL Server Service Accounts
  
• Reviewing Access Control Lists Created for SQL Server Service Accounts
  
• Reviewing Windows Permissions for SQL Server Services
  
• Reviewing Additional Considerations
  
• Localized Service Names
  

 Configuring Service Startup Type

During SQL Server Setup, you can configure the startup type - disabled, manual, or automatic - for some SQL Server services. The following table shows the SQL Server services that can be configured during installation. For unattended installations, you can use the switches in a configuration file or at a command prompt.

SQL Server service name	Configurable in Installation Wizard?	Switches for unattended installations1
MSSQLSERVER	Yes	SQLACCOUNT, SQLPASSWORD, SQLAUTOSTART
SQLServerAgent2	Yes	AGTACCOUNT, AGTPASSWORD, AGTAUTOSTART
MSSQLServerOLAPService	Yes	ASACCOUNT, ASPASSWORD, ASAUTOSTART
ReportServer	Yes	RSACCOUNT, RSPASSWORD, RSAUTOSTART
Integration Services	Yes	ISSVSAccount, ISSVCPassword, ISSVCStartupType

1For more information and sample syntax for unattended installations, see How to: Install SQL Server 2008 from the Command Prompt.

2The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.

 Using Startup Accounts for SQL Server Services

To start and run, each service in SQL Server must have an account configured during installation. Startup accounts used to start and run SQL Server can be built-in system accounts, local user accounts, or domain user accounts.

Domain User Account

If the service must interact with network services, access domain resources like file shares or if it uses linked server connections to other computers running SQL Server, you might use a minimally-privileged domain account. Many server-to-server activities can be performed only with a domain user account. This account should be pre-created by domain administration in your environment.

Local User Account

If the computer is not part of a domain, a local user account without Windows administrator permissions is recommended.

Local Service Account

The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services. The actual name of the account is "NT AUTHORITY\Local Service account".

Network Service Account

The Network Service account is a built-in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account. The actual name of the account is "NT AUTHORITY\NetworkService".

Local System Account

Local System is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. The actual name of the account is "NT AUTHORITY\System".

In addition to having user accounts, every service has three possible startup states that users can control:

• Disabled   The service is installed but not currently running.
  
• Manual   The service is installed, but will start only when another service or application needs its functionality.
  
• Automatic   The service is automatically started by the operating system.
  

The following table shows optional accounts for each SQL Server service, and the startup states for each service.

SQL Server service name	Optional accounts	Startup type	Default state following Setup
SQL Server	SQL Server Express: Domain User, Local System, Network Service1 All other editions: Domain User, Local System, Network Service1	Automatic1	Started Stopped only if user chooses not to autostart.
SQL Server Agent	Domain User, Local System, Network Service1	Manual2 Automatic only if user chooses to autostart	Stopped Started only if user chooses to autostart.
Analysis Services	Domain User, Network Service, Local Service, Local System	Automatic	Started Stopped only if user chooses not to autostart.
Reporting Services	Domain User, Local System, Network Service, Local Service	Automatic	Started Stopped only if user chooses not to autostart.
Integration Services	Domain User, Local System, Network Service, Local Service	Automatic	Started Stopped only if user chooses not to autostart.
Full-Text Search	Use an account different than the account for the SQL Server service. The account will default to Local Service on Windows Server 2008 and Windows Vista.	Automatic	Started Stopped only if an account is not specified on Windows Server 2003 or Windows XP.
SQL Server Browser	Local Service	Disabled3 Automatic only if user chooses to autostart.	Stopped Started only if user chooses to autostart.
SQL Server Active Directory Helper	Local System, Network Service	Disabled	Stopped
SQL Writer	Local System	Automatic	Started

Important   

1Set as manual in failover cluster configurations.

2The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.

3By default, for failover cluster installations and named instances, the SQL Server Browser is set to start automatically after Setup finishes.

Security Note   Always run SQL Server services by using the lowest possible user rights. Use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID.

Using Service SIDs for SQL Server Service Configurations

Service security IDs (SIDs) are available in SQL Server 2008 on Windows Server 2008 and Windows Vista operating systems to enable service isolation. Service isolation provides services a way to access specific objects without having to either run in a high-privilege account or weaken the security protection of the object. A SQL Server service can use this identity to restrict access to its resources by other services or applications.

A service isolates an object for its exclusive use by securing the resource by using an access control entry that contains a service SID. This per-service SID is derived from the service name and is unique to that service, for example, a service SID name for a SQL Server service might be NT Service\MSSQL$<InstanceName>. After a SID has been enabled for a service, the SID is added to the local security group in Windows. The service owner can modify the access control list for an object to give access to the SID. For example, a registry key in HKEY_LOCAL_MACHINE\SOFTWARE would usually be available only to services that have administrative credentials. By adding the per-service SID to the access control list of the key, the service can run in a lower-privilege account, but still have access to the key.

During installation, Setup creates a service group for each component of SQL Server. On Windows Server 2003 and Windows XP, service accounts for SQL Server services are added to the local service groups and function on these operating systems as they have in previous SQL Server releases; SQL Server services connect to an instance of SQL Server as members of the local group. On Windows Server 2008 and Windows Vista, the service SID is added to the local security group instead of the SQL Server service account.

Supported Service Configurations

Installing SQL Server 2008 on a Windows Server 2008 domain controller requires SQL Server services to be provisioned with a service SID. SQL Server 2008 is not supported where failover cluster nodes are domain controllers.

Installing SQL Server 2008 on a Windows Server 2003 domain controller requires the domain for SQL Server services to be provisioned with a domain account.

The following table shows the supported service configurations for new and upgraded installations on Windows Server 2008 or Windows Vista.

New installation	Upgrade
Stand-alone instance - Service group with service SID Failover cluster instance - Service SID Domain Controller - Service SID	Stand-alone instance - Service group with service SID Failover cluster instance - Service group with service account

The following table shows the service configurations for new and upgraded installations on Windows Server 2003 or Windows XP.

New installation	Upgrade
Stand-alone instance- Service group with service account Failover cluster instance - Domain service group with service account Domain Controller - Service group with service account	Stand-alone instance - Service group with service account Failover cluster instance - Service group with service account

Changing User Accounts

To change the service accounts, password, service startup type, or other properties of any SQL Server–related service, use SQL Server Configuration Manager. For reporting services, use the Reporting Services Configuration Tool. Note that renaming the instance of SQL Server does not rename SQL Server security groups. The security groups will continue to function with the old names after the renaming operation.

 Identifying Instance-Aware and Instance-Unaware Services

Instance-aware services are associated with a specific instance of SQL Server, and have their own registry hives. You can install multiple copies of instance-aware services by running SQL Server Setup for each component or service. Instance-unaware services are shared among all installed SQL Server instances. They are not associated with a specific instance, are installed only once, and cannot be installed side-by-side.

Instance-aware services in SQL Server include the following:

• SQL Server
  
• SQL Server Agent
  Be aware that the SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.
  
• Analysis Services
  
• Reporting Services
  
• Full-text search
  

Instance-unaware services in SQL Server include the following:

• Integration Services
  
• SQL Server Browser
  
• SQL Server Active Directory Helper
  
• SQL Writer
  

 Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts

SQL Server Setup creates local service groups for different SQL Server services and adds the service accounts or service SIDs to them as appropriate. These groups simplify granting the permissions that are required to run SQL Server services and other executables, and help secure SQL Server files. For stand-alone instances of SQL Server on Windows Vista and Windows Server 2008 operating systems, service SIDs are automatically added to the group. For failover cluster instances on Windows Server 2008, Setup does not require domain groups by default. Instead, the SQL Server resources are directly added to the service SID through ACLs (access control lists). Users can choose domain groups and domain accounts to run SQL Server services. Note that to use domain groups, they must be pre-created before you run SQL Server Setup. Unique domain groups should be used when you install SQL Server services on a domain controller, and only domain accounts can be used for these groups.

The following table shows the user groups that SQL Server Setup creates that are granted specific Windows NT user rights.

SQL Server service	User group	Default permissions granted by SQL Server Setup
SQL Server	Default instance: SQLServerMSSQLUser$ComputerName$MSSQLSERVER Named instance: SQLServerMSSQLUser$ComputerName$InstanceName	Log on as a service (SeServiceLogonRight)1 Log on as a batch job (SeBatchLogonRight) Replace a process-level token (SeAssignPrimaryTokenPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) Permission to start SQL Server Active Directory Helper Permission to start SQL Writer Permission to read the Event Log service Permission to read the Remote Procedure Call service
SQL Server Agent3	Default instance: SQLServerSQLAgentUser$ComputerName$MSSQLSERVER Named instance: SQLServerSQLAgentUser$ComputerName$InstanceName	Log on as a service (SeServiceLogonRight) Log on as a batch job (SeBatchLogonRight) Replace a process-level token (SeAssignPrimaryTokenPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
Analysis Services	Default instance: SQLServerMSOLAPUser$ComputerName$MSSQLSERVER Named instance: SQLServerMSOLAPUser$ComputerName$InstanceName	Log on as a service (SeServiceLogonRight)
SSRS	Default instance: SQLServerReportServerUser$ComputerName$MSRS10.MSSQLSERVER Named instance: SQLServerReportServerUser$ComputerName$MSRS10.InstanceName	Log on as a service (SeServiceLogonRight)
Integration Services	Default or named instance: SQLServerDTSUser$ComputerName	Log on as a service (SeServiceLogonRight) Permission to write to application event log. Bypass traverse checking (SeChangeNotifyPrivilege) Impersonate a client after authentication (SeImpersonatePrivilege)
Full-text search	Default instance: SQLServerFDHostUser$ ComputerName$MSSQL10.MSSQLSERVER Named instance: SQLServerFDHostUser$ComputerName$MSSQL10.InstanceName	Log on as a service (SeServiceLogonRight)
SQL Server Browser	Default or named instance: SQLServerSQLBrowserUser$ComputerName	Log on as a service (SeServiceLogonRight)
SQL Server Active Directory Helper	Default or named instance: SQLServerMSSQLServerADHelperUser$ComputerName	None2
SQL Writer	N/A	None2

1This permission is granted by default to all SQL Server services.

2 SQL Server Setup does not check or grant permissions for this service.

3The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.

 Reviewing Access Control Lists Created for SQL Server Service Accounts

SQL Server service accounts must have access to resources. Access control lists are set at the user group level.

Important:
For failover cluster installations, resources on shared disks must be set to an ACL for a local account.

The following table shows the ACLs that are set by SQL Server Setup:

Service account1 for	Files and folders	Access
MSSQLServer	Instid\MSSQL\backup	Full control
	Instid\MSSQL\binn	Read, Execute
	Instid\MSSQL\data	Full control
	Instid\MSSQL\FTData	Full control
	Instid\MSSQL\Install	Read, Execute
	Instid\MSSQL\Log	Full control
	Instid\MSSQL\Repldata	Full control
	100\shared	Read, Execute
	Instid\MSSQL\Template Data (SQL Server Express only)	Read
SQLServerAgent2	Instid\MSSQL\binn	Full control
	Instid\MSSQL\binn	Full control
	Instid\MSSQL\Log	Read, Write, Delete, Execute
	100\com	Read, Execute
	100\shared	Read, Execute
	100\shared\Errordumps	Read, Write
FTS	Instid\MSSQL\FTData	Full control
	Instid\MSSQL\FTRef	Read, Execute
	100\shared	Read, Execute
	100\shared\Errordumps	Read, Write
	Instid\MSSQL\Install	Read, Execute
	Instid\MSSQL\jobs	Read, Write
MSSQLServerOLAPservice	100\shared\ASConfig	Full control
	Instid\OLAP	Read, Execute
	Instid\Olap\Data	Full control
	Instid\Olap\Log	Read, Write
	Instid\OLAP\Backup	Read, Write
	Instid\OLAP\Temp	Read, Write
	100\shared\Errordumps	Read, Write
SQLServerReportServerUser	Instid\Reporting Services\Log Files	Read, Write, Delete
	Instid\Reporting Services\ReportServer	Read, Execute
	Instid\Reportingservices\Reportserver\global.asax	Full control
	Instid\Reportingservices\Reportserver\Reportserver.config	Read
	Instid\Reporting Services\reportManager	Read, Execute
	Instid\Reporting Services\RSTempfiles	Read, Write, Execute, Delete
	100\shared	Read, Execute
	100\shared\Errordumps	Read, Write
MSDTSServer100	100\dts\binn\MsDtsSrvr.ini.xml	Read
	100\dts\binn	Read, Execute
	100\shared	Read, Execute
	100\shared\Errordumps	Read, Write
SQL Server Browser	100\shared\ASConfig	Read
	100\shared	Read, Execute
	100\shared\Errordumps	Read, Write
MSADHelper	N/A (Runs under Network Service account)
SQLWriter	N/A (Runs as local system)
User	Instid\MSSQL\binn	Read, Execute
	Instid\Reporting Services\ReportServer	Read, Execute, List Folder Contents
	Instid\Reportingservices\Reportserver\global.asax	Read
	Instid\Reporting Services\ReportManager	Read, Execute
	Instid\Reporting Services\ReportManager\pages	Read
	Instid\Reporting Services\ReportManager\Styles	Read
	100\dts	Read, Execute
	100\tools	Read, Execute
	90\tools	Read, Execute
	80\tools	Read, Execute
	100\sdk	Read
	Microsoft SQL Server\100\Setup Bootstrap	Read, Execute

1In some scenarios, such as failover clustering and installing SQL Server on a domain controller, ACLs will be set for the SQL Server service SID instead of being set for the SQL Server service group.

2The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.

Some access control permissions might have to be granted to built-in accounts or other SQL Server service accounts. The following table lists additional ACLs that are set by SQL Server Setup.

Requesting component	Account	Resource	Permissions
MSSQLServer	Performance Log Users	Instid\MSSQL\binn	List folder contents
	Performance Monitor Users	Instid\MSSQL\binn	List folder contents
	Performance Log Users, Performance Monitor Users	\WINNT\system32\sqlctr100.dll	Read, Execute
	Administrator only	\\.\root\Microsoft\SqlServer\ServerEvents\<sql_instance_name>1	Full control
	Administrators, System	\tools\binn\schemas\sqlserver\2004\07\showplan	Full control
	Users	\tools\binn\schemas\sqlserver\2004\07\showplan	Read, Execute
Reporting Services	<Report Server Web Service Account>	<install>\Reporting Services\LogFiles	DELETE READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES
	Report Manager Application pool identity, ASP.NET account, Everyone	<install>\Reporting Services\ReportManager, <install>\Reporting Services\ReportManager\Pages\*.*, <install>\Reporting Services\ReportManager\Styles\*.*, <install>\Reporting Services\ReportManager\webctrl_client\1_0\*.*	Read
	Report Manager Application pool identity	<install>\Reporting Services\ReportManager\Pages\*.*	Read
	<Report Server Web Service Account>	<install>\Reporting Services\ReportServer	Read
	<Report Server Web Service Account>	<install>\Reporting Services\ReportServer\global.asax	Full
	Everyone	<install>\Reporting Services\ReportServer\global.asax	READ_CONTROL FILE_READ_DATA FILE_READ_EA FILE_READ_ATTRIBUTES
	Network service	<install>\Reporting Services\ReportServer\ReportService.asmx	Full
	Everyone	<install>\Reporting Services\ReportServer\ReportService.asmx	READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_EXECUTE FILE_READ_DATA FILE_READ_EA FILE_EXECUTE FILE_READ_ATTRIBUTES
	ReportServer Windows Services Account	<install>\Reporting Services\ReportServer\RSReportServer.config	DELETE READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES
	Everyone	Report Server keys (Instid hive)	Query Value Enumerate SubKeys Notify Read Control
	Terminal Services User	Report Server keys (Instid hive)	Query Value Set Value Create SubKey Enumerate SubKey Notify Delete Read Control
	Power Users	Report Server keys (Instid hive)	Query Value Set Value Create Subkey Enumerate Subkeys Notify Delete Read Control

1This is the WMI provider namespace.

 Reviewing Windows Permissions for SQL Server Services

The following table shows service names, the term that is used to refer to the default and named instances of SQL Server services, a description of the service function, and the required minimum permissions.

Display name	Service name	Description	Required permissions
SQL Server (InstanceName)	Default instance: MSSQLSERVER Named instance: MSSQL$InstanceName	SQL Server Database Engine. The path of the executable file is \MSSQL\Binn\sqlservr.exe.	Local user or domain user account is recommended. Log on as a service (SeServiceLogonRight).1 Log on as a batch job (SeBatchLogonRight). Replace a process-level token (SeAssignPrimaryTokenPrivilege). Bypass traverse checking (SeChangeNotifyPrivilege). Adjust memory quotas for a process (SeIncreaseQuotaPrivilege). Permission to start SQL Server Active Directory Helper. Permission to start SQL Writer. Permission to read the Event Log service. Permission to read the Remote Procedure Call service. Minimum permissions Functionality MSSQLServer service startup account The account must be in the list of accounts that have List Folder permissions on the root drive where SQL Server is installed. It must also be on the root of any other drive where SQL Server files are stored. Note: The "List Folder" permissions on the root drive do not have to be inherited by the subfolders. MSSQLServer service startup account The account must have Full Control permissions over any folders where data or log files (.mdf, .ndf, .ldf) will reside.
SQL Server Agent (InstanceName)1	Default instance: SQLServerAgent Named instance: SQLAgent$InstanceName	Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks. The path of the executable file is \MSSQL\Binn\sqlagent.exe.	Minimum permissions Functionality The account must be a member of the sysadmin fixed server role.   The account must have the following Windows permissions: Log on as a service. Log on as a batch job. Replace a process-level token. Adjust memory quotas for a process. Bypass traverse checking.
Analysis Services Services (InstanceName)	Default instance: MSSQLServerOLAPService Named instance: MSOLAP$InstanceName	The service that provides online analytical processing (OLAP) and data mining functionality for business intelligence applications. The path of the executable file is \OLAP\Bin\msmdsrv.exe.
Reporting Services	Default instance: ReportServer Named instance: ReportServer$InstanceName	Manages, executes, creates, schedules, and delivers reports. The path of the executable is \Reporting Services\ReportServer\Bin\ReportingServicesService.exe.
Integration Services	Default or named instance: MSDTSServer	Provides management support for Integration Services package storage and execution. The path of the executable file is \DTS\Binn\msdtssrvr.exe.
Full-text search	Default or named instance: SQL Full-text Filter Daemon Launcher	Service to launch the full-text filter daemon process to perform document filtering and word breaking for SQL Server full-text search.
SQL Server Browser	Default or named instance: SQLBrowser	The name resolution service that provides SQL Server connection information for client computers. This service is shared across multiple SQL Server and SSIS instances. The path of the executable file is <drive>:\Program Files\Microsoft SQL Server\100\Shared\sqlbrowser.exe.
SQL Server Active Directory Helper	Default or named instance: MSSQLServerADHelper.	Publishes and manages SQL Server services in Windows Active Directory. The path of the executable is <drive>:\Program Files\Microsoft SQL Server\100\Shared\sqladhelper.exe.
SQL Writer	SQLWriter	Allows backup and restore applications to operate in the Volume Shadow Copy Service framework. There is a single instance of the SQL Writer service for all instances of SQL Server on the server. The path of the executable file is <drive>:\Program Files\Microsoft SQL Server\100\Shared\sqlwriter.exe.

1The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.

 Reviewing Additional Considerations

The following table shows the permissions that are required for SQL Server services to provide additional functionality.

Service/Application	Functionality	Required permission
SQL Server (MSSQLSERVER)	Write to a mail slot using xp_sendmail.	Network write permissions.
SQL Server (MSSQLSERVER)	Run xp_cmdshell for a user other than a SQL Server administrator.	Act as part of operating system and replace a process-level token.
SQL Server Agent (MSSQLSERVER)	Use the autorestart feature.	Must be a member of the Administrators local group.
Database Engine Tuning Advisor	Tunes databases for optimal query performance.	On first use, a user who has system administrative credentials must initialize the application. After initialization, dbo users can use the Database Engine Tuning Advisor to tune only those tables that they own. For more information, see "Initializing Database Engine Tuning Advisor on First Use" in SQL Server Books Online.

Important:
Before you upgrade SQL Server, enable Windows Authentication for SQL Server Agent and verify the required default configuration: that the SQL Server Agent service account is a member of the SQL Server sysadmin group.

 Localized Service Names

The following table shows service names that are displayed by localized versions of Windows.

Language	Name for Local Service	Name for Network Service	Name for Local System	Name for Admin Group
English Simplified Chinese Traditional Chinese Korean Japanese	NT AUTHORITY\LOCAL SERVICE	NT AUTHORITY\NETWORK SERVICE	NT AUTHORITY\SYSTEM	BUILTIN\Administrators
German	NT-AUTORITÄT\LOKALER DIENST	NT-AUTORITÄT\NETZWERKDIENST	NT-AUTORITÄT\SYSTEM	VORDEFINIERT\Administratoren
French	AUTORITE NT\SERVICE LOCAL	AUTORITE NT\SERVICE RÉSEAU	AUTORITE NT\SYSTEM	BUILTIN\Administrateurs
Italian	NT AUTHORITY\SERVIZIO LOCALE	NT AUTHORITY\SERVIZIO DI RETE	NT AUTHORITY\SYSTEM	BUILTIN\Administrators
Spanish	NT AUTHORITY\SERVICIO LOC	NT AUTHORITY\SERVICIO DE RED	NT AUTHORITY\SYSTEM	BUILTIN\Administradores
Russian	NT AUTHORITY\LOCAL SERVICE	NT AUTHORITY\NETWORK SERVICE	NT AUTHORITY\SYSTEM	BUILTIN\Администраторы

 See Also

Reference

Database Engine Configuration - Account Provisioning
Analysis Services Configuration - Account Provisioning

Concepts

Security Considerations for a SQL Server Installation
File Locations for Default and Named Instances of SQL Server

Help and Information

Getting SQL Server 2008 Assistance