Changing Passwords and User Accounts
Microsoft® SQL Server™ 2000 services accounts and passwords are linked to Microsoft Windows® user accounts and passwords. Changes in one location may require changes in the other.
Changing SQL Server Services Accounts After Install
After you have installed SQL Server 2000, use SQL Server Enterprise Manager to change the assigned password or other properties of any SQL Server–related service. Each service must be changed individually. In addition, the Microsoft Search service (full-text search) must always run under the local system account.
The new user account takes effect when the service is restarted. You should not change the passwords for any of the SQL Server service accounts when a failover cluster node is down or offline. If you have to do this, you will need to reset the password again using Enterprise Manager when all nodes are back online.
If you are running Microsoft Windows NT®, and you select to change the current service account for SQL Server to a non-administrator account (and the current service account for SQL Server is not an administrator account), the Valid Administrator Login dialog box is displayed. SQL Server must have administrator privileges to change security entries, so you must enter the user name, password, and domain to impersonate the non-administrator service account you have selected.
Once you have specified this information, all objects are granted full control permission. The location of the objects is determined by the following:
- Permissions are set for all files in the binary and data installation locations for the specific instances.
- Registry permissions depend on whether the instance is default or named:
For a default instance, permissions are applied only to the entries listed below the HKLM\Software\Microsoft\MSSQLServer entry:
For a named instance, permissions are applied to the entire HKLM\Software\Microsoft\MicrosoftSQLServer\80 entry.
The following rights are granted to the accounts:
- SeServiceLogonRight, which allows the account to run as a service.
- SeLockMemoryPrivilege, which allows the account to use the AWE memory feature of SQL Server.
- SeTcbPrivilege, which allows the account to impersonate other accounts.
If you are running SQL Server in a failover cluster configuration, permissions are also set for all files in the binary and data installation locations for all nodes in the cluster. Permission is also granted for the service account on the Cluster Object.
Note If you are running Microsoft Windows 2000 and want to use the Windows 2000 Encrypted File System to encrypt any SQL Server files, you must unencrypt the files before you can change the SQL Server service accounts. If you do not unencrypt the files and then reset the SQL Server service accounts, you cannot unencrypt the files.
Changing the current service account for SQL Server to a non-administrator account causes existing full-text catalogs to become inaccessible. Either rebuild and perform a full population of all catalogs belonging to this instance of SQL Server, or switch back to an account with administrator permissions.
You can change the SQLServerAgent service account to a non Microsoft Windows NT® 4.0 administrator account. However, the Windows NT 4.0 account must be a member of the sysadmin fixed server role to run SQL Server Agent.
To change the MSSQLServer services login (Enterprise Manager)
Windows Passwords Changes
If your Windows password changes after SQL Server 2000 is installed (for example, your password expires), you must also revise the user account information for SQL Server services in Windows.
To change SQL Server services login account information (Windows NT)
To change SQL Server services login account information (Windows 2000)
After changing the SQL Server service account information in Control Panel, you must also change the SQL Server service account in SQL Server Enterprise Manager. This allows the service account information for Microsoft Search service to remain synchronized as well.
Important Although the Microsoft Search service is always assigned to the local system account, the full-text search engine tracks the SQL Server service account in Windows. Full-text search and failover clustering are not available if Windows password changes are not reset using SQL Server Enterprise Manager.
For more information about creating Windows NT user accounts, granting advanced user rights, setting password expiration, and managing group memberships, see the Windows NT documentation or User Manager for Domains Help. For Microsoft Windows 2000 users, see Computer Management or Group Policy Editor in the Windows 2000 documentation.