Setting Up Windows Service Accounts

SQL Server 2005 Books Online (November 2008)

Updated: 12 December 2006

Each service in SQL Server represents a process or a set of processes to manage authentication of SQL Server operations with Microsoft Windows. This topic presents the default configuration of services in this release of SQL Server, and configuration options for SQL Server services that can be set during SQL Server installation.

Security Note   Always run SQL Server services by using the lowest possible user rights.

Depending on the Microsoft SQL Server 2005 components you choose to install, SQL Server 2005 Setup installs the following services:

• SQL Server Database Services - The service for the SQL Server relational Database Engine.
  
• SQL Server Agent - Executes jobs, monitors SQL Server, fires alerts, and allows automation of some administrative tasks.
  

  Note:

  For SQL Server and SQL Server Agent to run as services in Windows, SQL Server and SQL Server Agent must be assigned a Windows user account. Typically, both SQL Server and SQL Server Agent are assigned the same user account—either the local system or a domain user account. However, you can customize the settings for each service during the installation process. For more information about how to customize account information for each service, see Service Account.

• Analysis Services - Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications.
  
• Reporting Services - Manages, executes, renders, schedules, and delivers reports.
  
• Notification Services - A platform for developing and deploying applications that generate and send notifications.
  
• Integration Services - Provides management support for Integration Services package storage and execution.
  
• Full-Text Search - Quickly creates full-text indexes on content and properties of structured and semi-structured data to allow fast linguistic searches on this data.
  
• SQL Server Browser - The name resolution service that provides SQL Server connection information for client computers.
  
• SQL Server Active Directory Helper - Publishes and manages SQL Server services in Active Directory.
  
• SQL Writer - Allows backup and restore applications to operate in the Volume Shadow Copy Service (VSS) framework.
  

The remainder of this topic is divided into the following sections:

• Configuring Services Exposed in SQL Server Setup
  
• Using Startup Accounts for SQL Server Services
  
• Identifying Instance-Aware and Instance-Unaware Services
  
• Reviewing NT Rights and Privileges Granted for SQL Server Service Accounts
  
• Reviewing Access Control Lists Created for SQL Server Service Accounts
  
• Reviewing Windows Permissions for SQL Server Services
  
• Reviewing Additional Considerations
  
• Localized Service Names
  

 Configuring Services Exposed in SQL Server Setup

During SQL Server Setup, you can configure some SQL Server services with the startup account and whether the service auto-starts. The following table shows the SQL Server services that can be configured during installation. For unattended installations, you can use the switches in an installation file or from the command prompt.

SQL Server service name	Configurable in Installation Wizard?	Switches for unattended installations1
MSSQLSERVER	Yes	SQLACCOUNT, SQLPASSWORD, SQLAUTOSTART
SQLServerAgent	Yes	AGTACCOUNT, AGTPASSWORD, AGTAUTOSTART
MSSQLServerOLAPService	Yes	ASACCOUNT, ASPASSWORD, ASAUTOSTART
ReportServer	Yes	RSACCOUNT, RSPASSWORD, RSAUTOSTART
SQLBrowser	Yes	SQLBROWSERACCOUNT, SQLBROWSERPASSWORD, SQLBROWSERAUTOSTART2

1For more information and sample syntax about remote and unattended installations, see How to: Install SQL Server 2005 from the Command Prompt.

2SQLBROWSERAUTOSTART can be specified even if SQL Server Browser is already installed.

The following services cannot be configured at install time. They are installed with default settings:

• Notification Services
  
• Integration Services
  
• Full-Text Search
  
• Active Directory Helper
  
• SQL Writer
  

 Using Startup Accounts for SQL Server Services

To start and run, each service in SQL Server 2005 must have a user account. User accounts can be built-in system accounts or domain user accounts.

In addition to having user accounts, every service has three possible startup states that users can control:

• Disabled   The service is installed but not currently running.
  
• Manual   The service is installed but will start only when another service or application needs its functionality.
  
• Automatic   The service is started by the operating system after device drivers are loaded at boot time.
  

The following table shows default and optional accounts for each SQL Server service, and the startup states for each service.

SQL Server service name	Default account	Optional accounts	Startup type	Default state following Setup
SQL Server	SQL Server Express Edition on Windows 2000: Local system SQL Server Express Edition on all other supported operating systems: Network service All other editions on all supported operating systems: Domain user1	SQL Server Express Edition: Domain User, Local System, Network Service1 All other editions: Domain User, Local System, Network Service1	Automatic2	Started Stopped only if user chooses not to autostart
SQL Server Agent	Domain user3	Domain User, Local System, Network Service1,6	Disabled Automatic only if user chooses to autostart	Stopped Started only if user chooses to autostart
Analysis Services	Domain user3	Domain User, Local System, Network Service, Local Service	Automatic	Started Stopped only if user chooses not to autostart
Reporting Services	Domain user3	Domain User, Local System, Network Service, Local Service	Automatic	Started Stopped only if user chooses not to autostart
Notification Services4	N/A	N/A	N/A	N/A
Integration Services	Windows 2000: Local system All other supported operating systems: Network service	Domain User, Local System, Network Service, Local Service	Automatic	Started Stopped only if user chooses not to autostart.
Full-Text Search	Same account as SQL Server	Domain User, Local System, Network Service, Local Service	Manual	Stopped Started only if user chooses to autostart.
SQL Server Browser	SQL Server Express Edition on Windows 2000: Local system SQL Server Express Edition on all other supported operating systems: Local service All other editions on all supported operating systems: Domain user1,3	Domain User, Local System, Network Service, Local Service	Disabled5 Automatic only if user chooses to autostart.	Stopped5 Started only if user chooses to autostart.
SQL Server Active Directory Helper	Network service	Local System, Network Service	Disabled	Stopped
SQL Writer	Local system	Local System	Automatic	Started

1 Important   Microsoft recommends that you do not use the Network Service account for the SQL Server or the SQL Server Agent services. Local User or Domain User accounts are more appropriate for these SQL Server services.

2Set as manual in failover cluster configurations.

3For unattended installations, this property is required. If it is not specified, Setup will fail. To specify local system, use SQLAccount=LocalSystem or ASAccount=LocalSystem. For more information and sample syntax for remote and unattended installations, see How to: Install SQL Server 2005 from the Command Prompt.

4 SQL Server Setup can install but will not configure Notification Services. For more information about enabling Notification Services after Setup, see the "Configuring Notification Services Windows Services" topic in SQL Server 2005 Books Online.

5For failover cluster installations, the SQL Server Browser is set to start automatically, and is started by default following Setup.

6For more information about supported Windows accounts for SQL Server Agent, see The supported Windows account types that you can use to run the SQL Server Agent service in SQL Server 2005.

Important:

For failover cluster installations, local system and local service accounts are not allowed for clustered services like SQL Server, SQL Server Agent, and SSAS. For more information, see Before Installing Failover Clustering. For SQL Server 2005 installations in side-by-side configurations with earlier versions of SQL Server, SQL Server 2005 services must use accounts found only in the global domains group. Additionally, accounts used by SQL Server 2005 services must not appear in the local Administrators group. Failure to comply with this guideline will cause unexpected security behavior.

Using a Domain User Account

A domain user account may be preferred when the service must interact with network services. Many server-to-server activities can be performed only with a domain user account, for example:

• Remote procedure calls.
  
• Replication.
  
• Backing up to network drives.
  
• Heterogeneous joins that involve remote data sources.
  
• SQL Server Agent mail features and SQL Mail. This restriction applies if using Microsoft Exchange. Most other mail systems also require clients, like the SQL Server and SQL Server Agent services, to be run on accounts with network access.
  

Using the Local Service Account

The Local Service account is a special, built-in account that is similar to an authenticated user account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with no credentials.

Using the Network Service Account

The Network Service account is a special, built-in account that is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. Services that run as the Network Service account access network resources using the credentials of the computer account.

Important:
Microsoft recommends that you do not use the Network Service account for the SQL Server or SQL Server Agent services. Local User or Domain User accounts are more appropriate for these SQL services.

Using the Local System Account

The Local System account is a highly privileged account; use caution when assigning Local System permissions to SQL Server service accounts.

Security Note:
To increase the security of your SQL Server installation, run SQL Server services under a local Windows account with the lowest possible privileges.

Changing User Accounts

To change the password or other properties of any SQL Server–related service, use SQL Server Configuration Manager. If your Windows password changes, be sure also to update the SQL Server services settings in Windows. If you have Kerberos enabled, be sure to update the Service Principal Name (SPN) directory property for Active Directory.

For more information, see Changing Passwords and User Accounts. For information about using the Services add-in in Microsoft Windows to change SQL Server service accounts, see How to change the SQL Server or SQL Server Agent service account without using SQL Enterprise Manager in SQL Server 2000 or SQL Server Configuration Manager in SQL Server 2005.

 Identifying Instance-Aware and Instance-Unaware Services

Some SQL Server services are instance-aware while others are instance-unaware. Each instance-aware service is associated with a specific SQL Server instance, and has its own registry hive. You can install multiple copies of instance-aware services by running SQL Server Setup for installation of each component or service. Instance-unaware services are shared among all installed SQL Server instances; they are not associated with a specific instance, are installed only once, and cannot be installed side-by-side.

Instance-aware services in Microsoft SQL Server 2005 include:

• SQL Server
  
• SQL Server Agent
  
• Analysis Services
  
• Reporting Services
  
• Full-Text Search
  

Instance-unaware services in SQL Server 2005 include:

• Notification Services
  
• Integration Services
  
• SQL Server Browser
  
• SQL Server Active Directory Helper
  
• SQL Writer
  

 Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts

SQL Server Setup creates user groups for different SQL Server services and adds the service accounts to them as appropriate. These groups simplify granting the permissions required to run SQL Server services and other executables, and help to secure SQL Server files. Note that unique group names are required when installing SQL Server 2005 on a domain controller.

User groups created by SQL Server Setup are granted the following Windows NT rights and privileges.

SQL Server service	User group	Default permissions granted by SQL Server Setup
SQL Server	Default instance: SQLServer2005MSSQLUser$ComputerName$MSSQLSERVER Named instance: SQLServer2005MSSQLUser$ComputerName$InstanceName	Log on as a service (SeServiceLogonRight) Act as part of the operating system (SeTcbPrivilege) (only on Windows 2000) Log on as a batch job (SeBatchLogonRight) Replace a process-level token (SeAssignPrimaryTokenPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) Permission to start SQL Server Active Directory Helper Permission to start SQL Writer
SQL Server Agent	Default instance: SQLServer2005SQLAgentUser$ComputerName$MSSQLSERVER Named instance: SQLServer2005SQLAgentUser$ComputerName$InstanceName	Log on as a service (SeServiceLogonRight) Act as part of the operating system (SeTcbPrivilege) (only on Windows 2000) Log on as a batch job (SeBatchLogonRight) Replace a process-level token (SeAssignPrimaryTokenPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
Analysis Services	Default instance: SQLServer2005MSOLAPUser$ComputerName$MSSQLSERVER Named instance: SQLServer2005MSOLAPUser$ComputerName$InstanceName	Log on as a service (SeServiceLogonRight)
Reporting Services1	Default instance: SQLServer2005ReportServerUser$ComputerName$MSSQLSERVER and SQLServer2005ReportingServicesWebServiceUser$ComputerName$MSSQLSERVER Named instance: SQLServer2005ReportServerUser$ComputerName$InstanceName and SQLServer2005ReportingServicesWebServiceUser$ComputerName$InstanceName	Log on as a service (SeServiceLogonRight)
Notification Services2	Default or named instance: SQLServer2005NotificationServicesUser$ComputerName	N/A
Integration Services	Default or named instance: SQLServer2005DTSUser$ComputerName	Log on as a service (SeServiceLogonRight) Permission to write to application event log. Bypass traverse checking (SeChangeNotifyPrivilege) Create global objects (SeCreateGlobalPrivilege) Impersonate a client after authentication (SeImpersonatePrivilege)
Full-Text Search	Default instance: SQLServer2005MSFTEUser$ComputerName$MSSQLSERVER Named instance: SQLServer2005MSFTEUser$ComputerName$InstanceName	Log on as a service (SeServiceLogonRight)
SQL Server Browser	Default or named instance: SQLServer2005SQLBrowserUser$ComputerName	Log on as a service (SeServiceLogonRight)
SQL Server Active Directory Helper	Default or named instance: SQLServer2005MSSQLServerADHelperUser$ComputerName	None3
SQL Writer	N/A	None3

1For Reporting Services, SQL Server Setup must also create SQLServer2005ReportingServicesWebServiceUser$InstanceName and SQLServer2005ASP.NETUser user groups and grant access control lists (ACLs) to them. For more information, see the section below on access control lists.

2 SQL Server Setup can install but will not configure Notification Services. For more information on enabling Notification Services after Setup, see the "Configuring Notification Services Windows Services" topic in SQL Server 2005 Books Online.

3 SQL Server Setup does not check or grant permissions for this service.

 Reviewing Access Control Lists Created for SQL Server Service Accounts

SQL Server 2005 service accounts must have access to resources. Access control lists (ACLs) are set at the user group level. The following table lists ACLs set by SQL Server Setup.

Important:
For failover cluster installations, resources on shared disks cannot be set for any ACL in a local user group. Instead, those resources will be set to an ACL for a local account.

Service account for	Files and folders	Access
MSSQLServer	Instid\MSSQL\backup	Full control
	Instid\MSSQL\binn	Read, Execute
	Instid\MSSQL\data	Full control
	Instid\MSSQL\FTData	Full control
	Instid\MSSQL\Install	Read, Execute
	Instid\MSSQL\Log	Full control
	Instid\MSSQL\Repldata	Full control
	90\shared	Read, Execute
	90\shared\Errordumps	Read, Write
	90\com	Read, Execute
	Instid\MSSQL\Template Data (SQL Server Express Only)	Read
SQLServerAgent	Instid\MSSQL\binn	Full control
	Instid\MSSQL\Log	Full control
	Instid\MSSQL\jobs	Full control
	90\com	Read, Execute
	90\shared	Read, Execute
	90\shared\Errordumps	Read, Write
FTS	Instid\MSSQL\FTData	Full control
	Instid\MSSQL\FTRef	Read, Execute
	90\shared	Read, Execute
	90\shared\Errordumps	Read, Write
	Instid\MSSQL\Install	Read, Execute
MSSQLServerOLAPservice	90\shared	Read, Execute
	90\shared\msmdlocal.ini	Full control
	Instid\OLAP	Read, Execute
	Instid\Olap\Data	Full control
	Instid\Olap\Log	Read, Write
	90\shared\Errordumps	Read, Write
SQLServer2005ReportServerUser	Instid\Reporting Services\Log Files	Read, Write, Delete
	Instid\Reporting Services\ReportServer	Read, Execute
	Instid\Reportingservices\Reportserver\global.asax	Full control
	Instid\Reportingservices\Reportserver\Reportserver.config	Read, Write
	Instid\Reporting Services\reportManager	Read, Execute
	Instid\Reporting Services\RSTempfiles	Read,Write
	90\shared	Read, Execute
	90\shared\Errordumps	Read, Write
SQLServer2005ReportingServicesWebServiceUser	Instid\Reporting Services\Log Files	Read, Write, Delete
	Instid\Reporting Services\ReportServer	Read, Execute
	Instid\Reportingservices\Reportserver\global.asax	Full control
	InstID\Reporting Services\reportservice.asmx	Full Control
	Instid\Reportingservices\Reportserver\Reportserver.config	Read, Write, Delete
	Instid\Reporting Services\reportManager	Read, Execute
	Instid\Reporting Services\RSTempfiles	Read,Write
	Instid\Reporting Services\reportManager\pages	Read
	Instid\Reporting Services\reportManager\Styles	Read
	Instid\Reporting Services\reportManager\webctrl_client\1_0	Read
	90\shared	Read, Execute
	90\shared\Errordumps	Read, Write
Notification services	90\Notification services	Read, Execute, list folder contents
	90\shared	Read, Execute
	90\shared\Errordumps	Read, Write
MSDTSServer	90\dts\binn\MsDtsSrvr.ini.xml	Read
	90\dts\binn	Read, Execute
	90\shared	Read, Execute
	90\shared\Errordumps	Read, Write
SQL Server Browser	90\shared\msmdlocal.ini	Read
	90\shared	Read, Execute
	90\shared\Errordumps	Read, Write
MSADHekper	N/A (Runs as built in accounts)
SQLWriter	N/A (Runs as local system)
User	Instid\MSSQL\binn	Read, Execute
	Instid\Reporting Services\ReportServer	Read, Execute
	Instid\Reportingservices\Reportserver\global.asax	Read
	InstID\Reporting Services\reportservice.asmx	Read, Execute
	Instid\Reporting Services\reportManager	Read, Execute
	Instid\Reporting Services\reportManager\pages	Read
	Instid\Reporting Services\reportManager\Styles	Read
	90\dts	Read, Execute
	90\tools	Read, Execute
	80\tools	Read, Execute
	90\sdk	Read
	Microsoft SQL Server\90\Setup Bootstrap	Read, Execute

In addition to SQL Server service startup accounts, access control permissions may have to be granted to built-in accounts or other SQL Server service accounts. The following table lists additional ACLs set by SQL Server Setup.

Requesting component	Account	Resource	Permissions
MSSQLServer	Perfomance Log Users	Instid\MSSQL\binn	List folder contents
	Performance Monitor Users	Instid\MSSQL\binn	List folder contents
	Perfomance Log Users	Instid\MSSQL\binn\sqlctr90.dll	Read, Execute
	Performance Monitor Users	Instid\MSSQL\binn\sqlctr90.dll	Read, Execute
	Administrator only	\\.\root\Microsoft\SqlServer\ServerEvents\<sql_instance_name>1	Full control
	Administrators	\tools\binn\schemas\sqlserver\2003\03\showplan	Full control
	System	\tools\binn\schemas\sqlserver\2003\03\showplan	Full control
	Users	\tools\binn\schemas\sqlserver\2003\03\showplan	Read, Execute
Reporting services	<Report Server Web Service Account>	<install>\Reporting Services\LogFiles	DELETE READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES
	Report Manager Application pool identity	<install>\Reporting Services\ReportManager	Read
	ASP.NET account	<install>\Reporting Services\ReportManager	Read
	Everyone	<install>\Reporting Services\ReportManager	Read
	Report Manager Application pool identity	<install>\Reporting Services\ReportManager\Pages\*.*	Read
	ASP.NET account	<install>\Reporting Services\ReportManager\Pages\*.*	Read
	Everyone	<install>\Reporting Services\ReportManager\Pages\*.*	Read
	Report Manager Application pool identity	<install>\Reporting Services\ReportManager\Styles\*.*	Read
	ASP.NET account	<install>\Reporting Services\ReportManager\Styles\*.*	Read
	Everyone	<install>\Reporting Services\ReportManager\Styles\*.*	Read
	Report Manager Application pool identity	<install>\Reporting Services\ReportManager\webctrl_client\1_0\*.*	Read
	ASP.NET account	<install>\Reporting Services\ReportManager\webctrl_client\1_0\*.*	Read
	Everyone	<install>\Reporting Services\ReportManager\webctrl_client\1_0\*.*	Read
	<Report Server Web Service Account>	<install>\Reporting Services\ReportServer	Read
	<Report Server Web Service Account>	<install>\Reporting Services\ReportServer\global.asax	Full
	Everyone	<install>\Reporting Services\ReportServer\global.asax	READ_CONTROL FILE_READ_DATA FILE_READ_EA FILE_READ_ATTRIBUTES
	Network service	<intsall>\Reporting Services\ReportServer\ReportService.asmx	Full
	Everyone	<intsall>\Reporting Services\ReportServer\ReportService.asmx	READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_EXECUTE FILE_READ_DATA FILE_READ_EA FILE_EXECUTE FILE_READ_ATTRIBUTES
	ReportServer Windows Services Account	<install>\Reporting Services\ReportServer\RSReportServer.config	DELETE READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES
	Everyone	Report Server keys (Instid hive)	Query Value Enumerate SubKeys Notify Read Control
	Terminal Services User	Report Server keys (Instid hive)	Query Value Set Value Create SubKey Enumerate SubKey Notify Delete Read Control
	Power Users	Report Server keys (Instid hive)	Query Value Set Value Create Subkey Enumerate Subkeys Notify Delete Read Control

1This is the WMI provider namespace.

 Reviewing Windows Permissions for SQL Server Services

The following table shows service names, the term used to refer to the default and named instances of SQL Server services, a description of the service function, and required minimum permissions.

Display name	Service name	Description	Required permissions
SQL Server (InstanceName)	Default instance: MSSQLSERVER Named instance: MSSQL$InstanceName	SQL Server Database Engine. The path to the executable file is \MSSQL\Binn\sqlservr.exe.	Local user is recommended. MSSQLServer service startup account The account must be in the list of accounts that have "List Folder" permissions on the root drive where SQL Server is installed, and on the root of any other drive where SQL Server files are stored. Minimum permissions Functionality The "List Folder" permissions on the root drive do not have to be inherited by the subfolders. Note: MSSQLServer service startup account The account must have "Full Control" permissions over any folders where data or log files (.mdf, .ndf, .ldf) will reside.

SQL Server Agent (InstanceName)

Default instance: SQLServerAgent

Named instance: SQLAgent$InstanceName

Executes jobs, monitors SQL Server, fires alerts, and allows automation of some administrative tasks.

The path to the executable file is \MSSQL\Binn\sqlagent90.exe.

The account must be a member of the sysadmin fixed server role.  

The account must have the following Windows permissions1 Log on as a service. Log on as a batch job. Replace a process-level token. Adjust memory quotas for a process. Act as part of the operating system. Bypass traverse checking.

Minimum permissions	Functionality

Analysis Services Services (InstanceName)

Default instance: MSSQLServerOLAPService

Named instance: MSOLAP$InstanceName

The service that provides online analytical processing (OLAP) and data mining functionality for business intelligence applications.

The path to the executable file is \OLAP\Bin\msmdsrv.exe.

 

Report Server

Default instance: ReportServer

Named instance: ReportServer$InstanceName

Manages, executes, renders, schedules, and delivers reports.

The path to the executable is \Reporting Services\ReportServer\Bin\ReportingServicesService.exe.

 

Notification Services

 

Notification Services is a platform for developing and deploying applications that generate and send notifications. SQL Server Setup can install but will not configure Notification Services. For more information on enabling Notification Services after Setup, see the "Configuring Notification Services Windows Services" topic in SQL Server 2005 Books Online.

 

Integration Services

Default or named instance: MSDTSServer

Provides management support for Integration Services package storage and execution.

The path to the executable file is \DTS\Binn\msdtssrvr.exe.

 

SQL Server Browser

Default or named instance: SQLBrowser

The name resolution service that provides SQL Server connection information for client computers. This service is shared across multiple SQL Server and SSIS instances.

The path to the executable file is \90\shared\sqlbrowser.exe.

 

Microsoft FullText Search (MSFTESQL)

Default instance: MSFTESQL

Named instance: MSFTESQL$InstanceName

Quickly creates full-text indexes on content and properties of structured and semi-structured data to allow fast linguistic searches on this data.

The path to the executable file is \MSSQL\Binn\msftesql.exe.

 

SQL Server Active Directory Helper

Default or named instance: MSSQLServerADHelper.

Publishes and manages SQL Server services in Windows Active Directory.

The path to the executable is \90\Shared\sqladhelper.exe.

 

SQL Writer

SQLWriter

Allows backup and restore applications to operate in the Volume Shadow Copy Service (VSS) framework. There is a single instance of the SQL Writer service for all SQL Server instances on the server.

The path to the executable file is \90\Shared\sqlwriter.exe.

 

1For more information on how to verify that each of the required Windows permissions is set, see How to: Verify Permissions for SQL Server Services.

 Reviewing Additional Considerations

The following table shows permissions required for SQL Server services in order for them to provide additional functionality.

Service/Application	Functionality	Required permission
SQL Server (MSSQLSERVER)	Write to a mail slot using xp_sendmail.	Network write privileges.
SQL Server (MSSQLSERVER)	Run xp_cmdshell for a user other than a SQL Server administrator.	Act as part of operating system and replace a process-level token.
SQL Server Agent (MSSQLSERVER)	Use the autorestart feature.	Must be a member of the Administrators local group.
Database Engine Tuning Advisor	Tunes databases for optimal query performance.	On first use, a user with system administrator privileges must initialize the application. After initialization, users who own tables (dbo users) can use the Database Engine Tuning Advisor to tune only those tables that they own. For more information, see "Initializing Database Engine Tuning Advisor on First Use" in SQL Server 2005 Books Online.

Important:
Before upgrading to SQL Server 2005, enable Windows Authentication for SQL Server Agent and verify that the SQL Server Agent service account is a member of the SQL Server sysadmin group.

 Localized Service Names

The following table shows service names used by localized version of Microsoft Windows.

Language	Name for Local Service	Name for Network Service	Name for Local System	Name for Admin Group
English Simplified Chinese Traditional Chinese Korean Japanese	NT AUTHORITY\LOCAL SERVICE	NT AUTHORITY\NETWORK SERVICE	NT AUTHORITY\SYSTEM	BUILTIN\Administrators
German	NT-AUTORITÄT\LOKALER DIENST	NT-AUTORITÄT\NETZWERKDIENST	NT-AUTORITÄT\SYSTEM	VORDEFINIERT\Administratoren
French	AUTORITE NT\SERVICE LOCAL	AUTORITE NT\SERVICE RÉSEAU	AUTORITE NT\SYSTEM	BUILTIN\Administrateurs
Italian	NT AUTHORITY\SERVIZIO LOCALE	NT AUTHORITY\SERVIZIO DI RETE	NT AUTHORITY\SYSTEM	BUILTIN\Administrators
Spanish	NT AUTHORITY\SERVICIO LOC	NT AUTHORITY\SERVICIO DE RED	NT AUTHORITY\SYSTEM	BUILTIN\Administradores
Russian	NT AUTHORITY\LOCAL SERVICE	NT AUTHORITY\NETWORK SERVICE	NT AUTHORITY\SYSTEM	BUILTIN\Администраторы

 See Also

Reference

Service Account
Service Accounts (Clusters)

Concepts

Security Considerations for a SQL Server Installation

Help and Information

Getting SQL Server 2005 Assistance

 Change History

Release	History
12 December 2006	Changed content: Added security guidelines for service accounts in side-by-side configurations. Updated the startup type and default state for the SQL Writer service in SQL Server 2005 SP2.
17 July 2006	Changed content: Revised content flow and presentation to make the topic more readable. Added a link to the Knowledge Base article for using the Services add-in to change SQL Server and SQL Server Agent service accounts. Added Russian localized service names.
5 December 2005	Changed content: Removed LocalService from the list of accounts SQL Server Agent can use. Updated user groups created by SQL Server Setup.