Export (0) Print
Expand All

Setting Up Windows Service Accounts

Updated: 12 December 2006

Each service in SQL Server represents a process or a set of processes to manage authentication of SQL Server operations with Microsoft Windows. This topic presents the default configuration of services in this release of SQL Server, and configuration options for SQL Server services that can be set during SQL Server installation.

Security Note   Always run SQL Server services by using the lowest possible user rights.

Depending on the Microsoft SQL Server 2005 components you choose to install, SQL Server 2005 Setup installs the following services:

  • SQL Server Database Services - The service for the SQL Server relational Database Engine.
  • SQL Server Agent - Executes jobs, monitors SQL Server, fires alerts, and allows automation of some administrative tasks.
    ms143504.note(en-US,SQL.90).gifNote:
    For SQL Server and SQL Server Agent to run as services in Windows, SQL Server and SQL Server Agent must be assigned a Windows user account. Typically, both SQL Server and SQL Server Agent are assigned the same user account—either the local system or a domain user account. However, you can customize the settings for each service during the installation process. For more information about how to customize account information for each service, see Service Account.

  • Analysis Services - Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications.
  • Reporting Services - Manages, executes, renders, schedules, and delivers reports.
  • Notification Services - A platform for developing and deploying applications that generate and send notifications.
  • Integration Services - Provides management support for Integration Services package storage and execution.
  • Full-Text Search - Quickly creates full-text indexes on content and properties of structured and semi-structured data to allow fast linguistic searches on this data.
  • SQL Server Browser - The name resolution service that provides SQL Server connection information for client computers.
  • SQL Server Active Directory Helper - Publishes and manages SQL Server services in Active Directory.
  • SQL Writer - Allows backup and restore applications to operate in the Volume Shadow Copy Service (VSS) framework.

The remainder of this topic is divided into the following sections:

During SQL Server Setup, you can configure some SQL Server services with the startup account and whether the service auto-starts. The following table shows the SQL Server services that can be configured during installation. For unattended installations, you can use the switches in an installation file or from the command prompt.

SQL Server service name Configurable in Installation Wizard? Switches for unattended installations1

MSSQLSERVER

Yes

SQLACCOUNT, SQLPASSWORD, SQLAUTOSTART

SQLServerAgent

Yes

AGTACCOUNT, AGTPASSWORD, AGTAUTOSTART

MSSQLServerOLAPService

Yes

ASACCOUNT, ASPASSWORD, ASAUTOSTART

ReportServer

Yes

RSACCOUNT, RSPASSWORD, RSAUTOSTART

SQLBrowser

Yes

SQLBROWSERACCOUNT, SQLBROWSERPASSWORD, SQLBROWSERAUTOSTART2

1For more information and sample syntax about remote and unattended installations, see How to: Install SQL Server 2005 from the Command Prompt.

2SQLBROWSERAUTOSTART can be specified even if SQL Server Browser is already installed.

The following services cannot be configured at install time. They are installed with default settings:

  • Notification Services
  • Integration Services
  • Full-Text Search
  • Active Directory Helper
  • SQL Writer

To start and run, each service in SQL Server 2005 must have a user account. User accounts can be built-in system accounts or domain user accounts.

In addition to having user accounts, every service has three possible startup states that users can control:

  • Disabled   The service is installed but not currently running.
  • Manual   The service is installed but will start only when another service or application needs its functionality.
  • Automatic   The service is started by the operating system after device drivers are loaded at boot time.

The following table shows default and optional accounts for each SQL Server service, and the startup states for each service.

SQL Server service name Default account Optional accounts Startup type Default state following Setup

SQL Server

SQL Server Express Edition on Windows 2000: Local system

SQL Server Express Edition on all other supported operating systems: Network service

All other editions on all supported operating systems: Domain user1

SQL Server Express Edition: Domain User, Local System, Network Service1

All other editions: Domain User, Local System, Network Service1

Automatic2

Started

Stopped only if user chooses not to autostart

SQL Server Agent

Domain user3

Domain User, Local System, Network Service1,6

Disabled

Automatic only if user chooses to autostart

Stopped

Started only if user chooses to autostart

Analysis Services

Domain user3

Domain User, Local System, Network Service, Local Service

Automatic

Started

Stopped only if user chooses not to autostart

Reporting Services

Domain user3

Domain User, Local System, Network Service, Local Service

Automatic

Started

Stopped only if user chooses not to autostart

Notification Services4

N/A

N/A

N/A

N/A

Integration Services

Windows 2000: Local system

All other supported operating systems: Network service

Domain User, Local System, Network Service, Local Service

Automatic

Started

Stopped only if user chooses not to autostart.

Full-Text Search

Same account as SQL Server

Domain User, Local System, Network Service, Local Service

Manual

Stopped

Started only if user chooses to autostart.

SQL Server Browser

SQL Server Express Edition on Windows 2000: Local system

SQL Server Express Edition on all other supported operating systems: Local service

All other editions on all supported operating systems: Domain user1,3

Domain User, Local System, Network Service, Local Service

Disabled5

Automatic only if user chooses to autostart.

Stopped5

Started only if user chooses to autostart.

SQL Server Active Directory Helper

Network service

Local System, Network Service

Disabled

Stopped

SQL Writer

Local system

Local System

Automatic

Started

1 Important   Microsoft recommends that you do not use the Network Service account for the SQL Server or the SQL Server Agent services. Local User or Domain User accounts are more appropriate for these SQL Server services.

2Set as manual in failover cluster configurations.

3For unattended installations, this property is required. If it is not specified, Setup will fail. To specify local system, use SQLAccount=LocalSystem or ASAccount=LocalSystem. For more information and sample syntax for remote and unattended installations, see How to: Install SQL Server 2005 from the Command Prompt.

4 SQL Server Setup can install but will not configure Notification Services. For more information about enabling Notification Services after Setup, see the "Configuring Notification Services Windows Services" topic in SQL Server 2005 Books Online.

5For failover cluster installations, the SQL Server Browser is set to start automatically, and is started by default following Setup.

6For more information about supported Windows accounts for SQL Server Agent, see The supported Windows account types that you can use to run the SQL Server Agent service in SQL Server 2005.

ms143504.note(en-US,SQL.90).gifImportant:
For failover cluster installations, local system and local service accounts are not allowed for clustered services like SQL Server, SQL Server Agent, and SSAS. For more information, see Before Installing Failover Clustering.

For SQL Server 2005 installations in side-by-side configurations with earlier versions of SQL Server, SQL Server 2005 services must use accounts found only in the global domains group. Additionally, accounts used by SQL Server 2005 services must not appear in the local Administrators group. Failure to comply with this guideline will cause unexpected security behavior.

Using a Domain User Account

A domain user account may be preferred when the service must interact with network services. Many server-to-server activities can be performed only with a domain user account, for example:

  • Remote procedure calls.
  • Replication.
  • Backing up to network drives.
  • Heterogeneous joins that involve remote data sources.
  • SQL Server Agent mail features and SQL Mail. This restriction applies if using Microsoft Exchange. Most other mail systems also require clients, like the SQL Server and SQL Server Agent services, to be run on accounts with network access.

Using the Local Service Account

The Local Service account is a special, built-in account that is similar to an authenticated user account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with no credentials.

Using the Network Service Account

The Network Service account is a special, built-in account that is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. Services that run as the Network Service account access network resources using the credentials of the computer account.

ms143504.note(en-US,SQL.90).gifImportant:
Microsoft recommends that you do not use the Network Service account for the SQL Server or SQL Server Agent services. Local User or Domain User accounts are more appropriate for these SQL services.

Using the Local System Account

The Local System account is a highly privileged account; use caution when assigning Local System permissions to SQL Server service accounts.

ms143504.security(en-US,SQL.90).gifSecurity Note:
To increase the security of your SQL Server installation, run SQL Server services under a local Windows account with the lowest possible privileges.

Changing User Accounts

To change the password or other properties of any SQL Server–related service, use SQL Server Configuration Manager. If your Windows password changes, be sure also to update the SQL Server services settings in Windows. If you have Kerberos enabled, be sure to update the Service Principal Name (SPN) directory property for Active Directory.

For more information, see Changing Passwords and User Accounts. For information about using the Services add-in in Microsoft Windows to change SQL Server service accounts, see How to change the SQL Server or SQL Server Agent service account without using SQL Enterprise Manager in SQL Server 2000 or SQL Server Configuration Manager in SQL Server 2005.

Some SQL Server services are instance-aware while others are instance-unaware. Each instance-aware service is associated with a specific SQL Server instance, and has its own registry hive. You can install multiple copies of instance-aware services by running SQL Server Setup for installation of each component or service. Instance-unaware services are shared among all installed SQL Server instances; they are not associated with a specific instance, are installed only once, and cannot be installed side-by-side.

Instance-aware services in Microsoft SQL Server 2005 include:

  • SQL Server
  • SQL Server Agent
  • Analysis Services
  • Reporting Services
  • Full-Text Search

Instance-unaware services in SQL Server 2005 include:

  • Notification Services
  • Integration Services
  • SQL Server Browser
  • SQL Server Active Directory Helper
  • SQL Writer

SQL Server Setup creates user groups for different SQL Server services and adds the service accounts to them as appropriate. These groups simplify granting the permissions required to run SQL Server services and other executables, and help to secure SQL Server files. Note that unique group names are required when installing SQL Server 2005 on a domain controller.

User groups created by SQL Server Setup are granted the following Windows NT rights and privileges.

SQL Server service User group Default permissions granted by SQL Server Setup

SQL Server

Default instance: SQLServer2005MSSQLUser$ComputerName$MSSQLSERVER

Named instance: SQLServer2005MSSQLUser$ComputerName$InstanceName

Log on as a service (SeServiceLogonRight)

Act as part of the operating system (SeTcbPrivilege) (only on Windows 2000)

Log on as a batch job (SeBatchLogonRight)

Replace a process-level token (SeAssignPrimaryTokenPrivilege)

Bypass traverse checking (SeChangeNotifyPrivilege)

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Permission to start SQL Server Active Directory Helper

Permission to start SQL Writer

SQL Server Agent

Default instance: SQLServer2005SQLAgentUser$ComputerName$MSSQLSERVER

Named instance: SQLServer2005SQLAgentUser$ComputerName$InstanceName

Log on as a service (SeServiceLogonRight)

Act as part of the operating system (SeTcbPrivilege) (only on Windows 2000)

Log on as a batch job (SeBatchLogonRight)

Replace a process-level token (SeAssignPrimaryTokenPrivilege)

Bypass traverse checking (SeChangeNotifyPrivilege)

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Analysis Services

Default instance: SQLServer2005MSOLAPUser$ComputerName$MSSQLSERVER

Named instance: SQLServer2005MSOLAPUser$ComputerName$InstanceName

Log on as a service (SeServiceLogonRight)

Reporting Services1

Default instance: SQLServer2005ReportServerUser$ComputerName$MSSQLSERVER and SQLServer2005ReportingServicesWebServiceUser$ComputerName$MSSQLSERVER

Named instance: SQLServer2005ReportServerUser$ComputerName$InstanceName and SQLServer2005ReportingServicesWebServiceUser$ComputerName$InstanceName

Log on as a service (SeServiceLogonRight)

Notification Services2

Default or named instance: SQLServer2005NotificationServicesUser$ComputerName

N/A

Integration Services

Default or named instance: SQLServer2005DTSUser$ComputerName

Log on as a service (SeServiceLogonRight)

Permission to write to application event log.

Bypass traverse checking (SeChangeNotifyPrivilege)

Create global objects (SeCreateGlobalPrivilege)

Impersonate a client after authentication (SeImpersonatePrivilege)

Full-Text Search

Default instance: SQLServer2005MSFTEUser$ComputerName$MSSQLSERVER

Named instance: SQLServer2005MSFTEUser$ComputerName$InstanceName

Log on as a service (SeServiceLogonRight)

SQL Server Browser

Default or named instance: SQLServer2005SQLBrowserUser$ComputerName

Log on as a service (SeServiceLogonRight)

SQL Server Active Directory Helper

Default or named instance: SQLServer2005MSSQLServerADHelperUser$ComputerName

None3

SQL Writer

N/A

None3

1For Reporting Services, SQL Server Setup must also create SQLServer2005ReportingServicesWebServiceUser$InstanceName and SQLServer2005ASP.NETUser user groups and grant access control lists (ACLs) to them. For more information, see the section below on access control lists.

2 SQL Server Setup can install but will not configure Notification Services. For more information on enabling Notification Services after Setup, see the "Configuring Notification Services Windows Services" topic in SQL Server 2005 Books Online.

3 SQL Server Setup does not check or grant permissions for this service.

SQL Server 2005 service accounts must have access to resources. Access control lists (ACLs) are set at the user group level. The following table lists ACLs set by SQL Server Setup.

ms143504.note(en-US,SQL.90).gifImportant:
For failover cluster installations, resources on shared disks cannot be set for any ACL in a local user group. Instead, those resources will be set to an ACL for a local account.

Service account for Files and folders Access

MSSQLServer

Instid\MSSQL\backup

Full control

 

Instid\MSSQL\binn

Read, Execute

 

Instid\MSSQL\data

Full control

 

Instid\MSSQL\FTData

Full control

 

Instid\MSSQL\Install

Read, Execute

 

Instid\MSSQL\Log

Full control

 

Instid\MSSQL\Repldata

Full control

 

90\shared

Read, Execute

 

90\shared\Errordumps

Read, Write

 

90\com

Read, Execute

 

Instid\MSSQL\Template Data (SQL Server Express Only)

Read

SQLServerAgent

Instid\MSSQL\binn

Full control

 

Instid\MSSQL\Log

Full control

 

Instid\MSSQL\jobs

Full control

 

90\com

Read, Execute

 

90\shared

Read, Execute

 

90\shared\Errordumps

Read, Write

FTS

Instid\MSSQL\FTData

Full control

 

Instid\MSSQL\FTRef

Read, Execute

 

90\shared

Read, Execute

 

90\shared\Errordumps

Read, Write

 

Instid\MSSQL\Install

Read, Execute

MSSQLServerOLAPservice

90\shared

Read, Execute

 

90\shared\msmdlocal.ini

Full control

 

Instid\OLAP

Read, Execute

 

Instid\Olap\Data

Full control

 

Instid\Olap\Log

Read, Write

 

90\shared\Errordumps

Read, Write

SQLServer2005ReportServerUser

Instid\Reporting Services\Log Files

Read, Write, Delete

 

Instid\Reporting Services\ReportServer

Read, Execute

 

Instid\Reportingservices\Reportserver\global.asax

Full control

 

Instid\Reportingservices\Reportserver\Reportserver.config

Read, Write

 

Instid\Reporting Services\reportManager

Read, Execute

 

Instid\Reporting Services\RSTempfiles

Read,Write

 

90\shared

Read, Execute

 

90\shared\Errordumps

Read, Write

SQLServer2005ReportingServicesWebServiceUser

Instid\Reporting Services\Log Files

Read, Write, Delete

 

Instid\Reporting Services\ReportServer

Read, Execute

 

Instid\Reportingservices\Reportserver\global.asax

Full control

 

InstID\Reporting Services\reportservice.asmx

Full Control

 

Instid\Reportingservices\Reportserver\Reportserver.config

Read, Write, Delete

 

Instid\Reporting Services\reportManager

Read, Execute

 

Instid\Reporting Services\RSTempfiles

Read,Write

 

Instid\Reporting Services\reportManager\pages

Read

 

Instid\Reporting Services\reportManager\Styles

Read

 

Instid\Reporting Services\reportManager\webctrl_client\1_0

Read

 

90\shared

Read, Execute

 

90\shared\Errordumps

Read, Write

Notification services

90\Notification services

Read, Execute, list folder contents

 

90\shared

Read, Execute

 

90\shared\Errordumps

Read, Write

MSDTSServer

90\dts\binn\MsDtsSrvr.ini.xml

Read

 

90\dts\binn

Read, Execute

 

90\shared

Read, Execute

 

90\shared\Errordumps

Read, Write

SQL Server Browser

90\shared\msmdlocal.ini

Read

 

90\shared

Read, Execute

 

90\shared\Errordumps

Read, Write

MSADHekper

N/A (Runs as built in accounts)

 

SQLWriter

N/A (Runs as local system)

 

User

Instid\MSSQL\binn

Read, Execute

 

Instid\Reporting Services\ReportServer

Read, Execute

 

Instid\Reportingservices\Reportserver\global.asax

Read

 

InstID\Reporting Services\reportservice.asmx

Read, Execute

 

Instid\Reporting Services\reportManager

Read, Execute

 

Instid\Reporting Services\reportManager\pages

Read

 

Instid\Reporting Services\reportManager\Styles

Read

 

90\dts

Read, Execute

 

90\tools

Read, Execute

 

80\tools

Read, Execute

 

90\sdk

Read

 

Microsoft SQL Server\90\Setup Bootstrap

Read, Execute

In addition to SQL Server service startup accounts, access control permissions may have to be granted to built-in accounts or other SQL Server service accounts. The following table lists additional ACLs set by SQL Server Setup.

Requesting component Account Resource Permissions

MSSQLServer

Perfomance Log Users

Instid\MSSQL\binn

List folder contents

 

Performance Monitor Users

Instid\MSSQL\binn

List folder contents

 

Perfomance Log Users

Instid\MSSQL\binn\sqlctr90.dll

Read, Execute

 

Performance Monitor Users

Instid\MSSQL\binn\sqlctr90.dll

Read, Execute

 

Administrator only

\\.\root\Microsoft\SqlServer\ServerEvents\<sql_instance_name>1

Full control

 

Administrators

\tools\binn\schemas\sqlserver\2003\03\showplan

Full control

 

System

\tools\binn\schemas\sqlserver\2003\03\showplan

Full control

 

Users

\tools\binn\schemas\sqlserver\2003\03\showplan

Read, Execute

Reporting services

<Report Server Web Service Account>

<install>\Reporting Services\LogFiles

DELETE

READ_CONTROL

SYNCHRONIZE

FILE_GENERIC_READ

FILE_GENERIC_WRITE

FILE_READ_DATA

FILE_WRITE_DATA

FILE_APPEND_DATA

FILE_READ_EA

FILE_WRITE_EA

FILE_READ_ATTRIBUTES

FILE_WRITE_ATTRIBUTES

 

Report Manager Application pool identity

<install>\Reporting Services\ReportManager

Read

 

ASP.NET account

<install>\Reporting Services\ReportManager

Read

 

Everyone

<install>\Reporting Services\ReportManager

Read

 

Report Manager Application pool identity

<install>\Reporting Services\ReportManager\Pages\*.*

Read

 

ASP.NET account

<install>\Reporting Services\ReportManager\Pages\*.*

Read

 

Everyone

<install>\Reporting Services\ReportManager\Pages\*.*

Read

 

Report Manager Application pool identity

<install>\Reporting Services\ReportManager\Styles\*.*

Read

 

ASP.NET account

<install>\Reporting Services\ReportManager\Styles\*.*

Read

 

Everyone

<install>\Reporting Services\ReportManager\Styles\*.*

Read

 

Report Manager Application pool identity

<install>\Reporting Services\ReportManager\webctrl_client\1_0\*.*

Read

 

ASP.NET account

<install>\Reporting Services\ReportManager\webctrl_client\1_0\*.*

Read

 

Everyone

<install>\Reporting Services\ReportManager\webctrl_client\1_0\*.*

Read

 

<Report Server Web Service Account>

<install>\Reporting Services\ReportServer

Read

 

<Report Server Web Service Account>

<install>\Reporting Services\ReportServer\global.asax

Full

 

Everyone

<install>\Reporting Services\ReportServer\global.asax

READ_CONTROL

FILE_READ_DATA

FILE_READ_EA

FILE_READ_ATTRIBUTES

 

Network service

<intsall>\Reporting Services\ReportServer\ReportService.asmx

Full

 

Everyone

<intsall>\Reporting Services\ReportServer\ReportService.asmx

READ_CONTROL

SYNCHRONIZE FILE_GENERIC_READ

FILE_GENERIC_EXECUTE

FILE_READ_DATA

FILE_READ_EA

FILE_EXECUTE

FILE_READ_ATTRIBUTES

 

ReportServer Windows Services Account

<install>\Reporting Services\ReportServer\RSReportServer.config

DELETE

READ_CONTROL

SYNCHRONIZE

FILE_GENERIC_READ

FILE_GENERIC_WRITE

FILE_READ_DATA

FILE_WRITE_DATA

FILE_APPEND_DATA

FILE_READ_EA

FILE_WRITE_EA

FILE_READ_ATTRIBUTES

FILE_WRITE_ATTRIBUTES

 

Everyone

Report Server keys (Instid hive)

Query Value

Enumerate SubKeys

Notify

Read Control

 

Terminal Services User

Report Server keys (Instid hive)

Query Value

Set Value

Create SubKey

Enumerate SubKey

Notify

Delete

Read Control

 

Power Users

Report Server keys (Instid hive)

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Delete

Read Control

1This is the WMI provider namespace.

The following table shows service names, the term used to refer to the default and named instances of SQL Server services, a description of the service function, and required minimum permissions.

Display name Service name Description Required permissions

SQL Server (InstanceName)

Default instance: MSSQLSERVER

Named instance: MSSQL$InstanceName

SQL Server Database Engine.

The path to the executable file is \MSSQL\Binn\sqlservr.exe.

Local user is recommended.

MSSQLServer service startup account
The account must be in the list of accounts that have "List Folder" permissions on the root drive where SQL Server is installed, and on the root of any other drive where SQL Server files are stored.
Minimum permissions Functionality
The "List Folder" permissions on the root drive do not have to be inherited by the subfolders.
ms143504.note(en-US,SQL.90).gifNote:

MSSQLServer service startup account The account must have "Full Control" permissions over any folders where data or log files (.mdf, .ndf, .ldf) will reside.

SQL Server Agent (InstanceName)

Default instance: SQLServerAgent

Named instance: SQLAgent$InstanceName

Executes jobs, monitors SQL Server, fires alerts, and allows automation of some administrative tasks.

The path to the executable file is \MSSQL\Binn\sqlagent90.exe.

The account must be a member of the sysadmin fixed server role.  
The account must have the following Windows permissions1 Log on as a service. Log on as a batch job. Replace a process-level token. Adjust memory quotas for a process. Act as part of the operating system. Bypass traverse checking.
Minimum permissions Functionality

Analysis Services Services (InstanceName)

Default instance: MSSQLServerOLAPService

Named instance: MSOLAP$InstanceName

The service that provides online analytical processing (OLAP) and data mining functionality for business intelligence applications.

The path to the executable file is \OLAP\Bin\msmdsrv.exe.

 

Report Server

Default instance: ReportServer

Named instance: ReportServer$InstanceName

Manages, executes, renders, schedules, and delivers reports.

The path to the executable is \Reporting Services\ReportServer\Bin\ReportingServicesService.exe.

 

Notification Services

 

Notification Services is a platform for developing and deploying applications that generate and send notifications. SQL Server Setup can install but will not configure Notification Services. For more information on enabling Notification Services after Setup, see the "Configuring Notification Services Windows Services" topic in SQL Server 2005 Books Online.

 

Integration Services

Default or named instance: MSDTSServer

Provides management support for Integration Services package storage and execution.

The path to the executable file is \DTS\Binn\msdtssrvr.exe.

 

SQL Server Browser

Default or named instance: SQLBrowser

The name resolution service that provides SQL Server connection information for client computers. This service is shared across multiple SQL Server and SSIS instances.

The path to the executable file is \90\shared\sqlbrowser.exe.

 

Microsoft FullText Search (MSFTESQL)

Default instance: MSFTESQL

Named instance: MSFTESQL$InstanceName

Quickly creates full-text indexes on content and properties of structured and semi-structured data to allow fast linguistic searches on this data.

The path to the executable file is \MSSQL\Binn\msftesql.exe.

 

SQL Server Active Directory Helper

Default or named instance: MSSQLServerADHelper.

Publishes and manages SQL Server services in Windows Active Directory.

The path to the executable is \90\Shared\sqladhelper.exe.

 

SQL Writer

SQLWriter

Allows backup and restore applications to operate in the Volume Shadow Copy Service (VSS) framework. There is a single instance of the SQL Writer service for all SQL Server instances on the server.

The path to the executable file is \90\Shared\sqlwriter.exe.

 

1For more information on how to verify that each of the required Windows permissions is set, see How to: Verify Permissions for SQL Server Services.

The following table shows permissions required for SQL Server services in order for them to provide additional functionality.

Service/Application Functionality Required permission

SQL Server (MSSQLSERVER)

Write to a mail slot using xp_sendmail.

Network write privileges.

SQL Server (MSSQLSERVER)

Run xp_cmdshell for a user other than a SQL Server administrator.

Act as part of operating system and replace a process-level token.

SQL Server Agent (MSSQLSERVER)

Use the autorestart feature.

Must be a member of the Administrators local group.

Database Engine Tuning Advisor

Tunes databases for optimal query performance.

On first use, a user with system administrator privileges must initialize the application. After initialization, users who own tables (dbo users) can use the Database Engine Tuning Advisor to tune only those tables that they own. For more information, see "Initializing Database Engine Tuning Advisor on First Use" in SQL Server 2005 Books Online.

ms143504.note(en-US,SQL.90).gifImportant:
Before upgrading to SQL Server 2005, enable Windows Authentication for SQL Server Agent and verify that the SQL Server Agent service account is a member of the SQL Server sysadmin group.

The following table shows service names used by localized version of Microsoft Windows.

Language Name for Local Service Name for Network Service Name for Local System Name for Admin Group

English

Simplified Chinese

Traditional Chinese

Korean

Japanese

NT AUTHORITY\LOCAL SERVICE

NT AUTHORITY\NETWORK SERVICE

NT AUTHORITY\SYSTEM

BUILTIN\Administrators

German

NT-AUTORITÄT\LOKALER DIENST

NT-AUTORITÄT\NETZWERKDIENST

NT-AUTORITÄT\SYSTEM

VORDEFINIERT\Administratoren

French

AUTORITE NT\SERVICE LOCAL

AUTORITE NT\SERVICE RÉSEAU

AUTORITE NT\SYSTEM

BUILTIN\Administrateurs

Italian

NT AUTHORITY\SERVIZIO LOCALE

NT AUTHORITY\SERVIZIO DI RETE

NT AUTHORITY\SYSTEM

BUILTIN\Administrators

Spanish

NT AUTHORITY\SERVICIO LOC

NT AUTHORITY\SERVICIO DE RED

NT AUTHORITY\SYSTEM

BUILTIN\Administradores

Russian

NT AUTHORITY\LOCAL SERVICE

NT AUTHORITY\NETWORK SERVICE

NT AUTHORITY\SYSTEM

BUILTIN\Администраторы

Release History

12 December 2006

Changed content:
  • Added security guidelines for service accounts in side-by-side configurations.
  • Updated the startup type and default state for the SQL Writer service in SQL Server 2005 SP2.

17 July 2006

Changed content:
  • Revised content flow and presentation to make the topic more readable.
  • Added a link to the Knowledge Base article for using the Services add-in to change SQL Server and SQL Server Agent service accounts.
  • Added Russian localized service names.

5 December 2005

Changed content:
  • Removed LocalService from the list of accounts SQL Server Agent can use.
  • Updated user groups created by SQL Server Setup.

Community Additions

ADD
Show:
© 2014 Microsoft