|
We have installed SQL Server 2008 on a Win2008 server. We use a domain\SQLServices account for both the instance service and the Agent. When we looked at the accounts created in the new instance, we found: NT SERVICE\MSSQLSERVER and NT SERVICE\SQLSERVERAGENT both with Sysadmin privs. What are these used for? Why don't we see the domain\SQLServices account that is running the services added? We found this article - http://support.microsoft.com/kb/955763 that warns against removing these accounts, but I can't find additional docs on the 2 accounts. Thanks!
(comments are locked)
|
|
Aren't those the IDs associated with the groups that contain the account domain\SQLServices? Ie... if you go to the "Local Users & Groups" section of Computer Management, you will see a bunch of groups in there, as a way of assigning sufficient permission to a user to run the particular service. So if you look in the group for SQL Agent, you should see your SQLServices account in there. If you go into SQL Config Mgr and change the service account for SQL Agent, you should see the SQLServices account removed from that group and the new account put in. This is how the system lets you use a low privilege account for those services. To be able to run the SQL & SQL Agent services, the accounts used need to be in the sysadmin role. But that's okay, because no-one other than the service should be logging on as that account. You're right I do see the NT SERVICESQLSERVERAGENT in the OS groups created for SQL Agent. However, we used to see the domainaccount in this group. Where is that connection? In otherwords where do I see that domainaccount is a member of NT SERVICESQLSERVERAGENT?
Dec 17 '09 at 11:53 AM
SailAway
(comments are locked)
|
|
the service for SQL does not need to be sysadmin.
(comments are locked)
|
