I'm a little confused about setting the security for a service account at instance level. There's a lot of documentation about best practices for setting up a service account and I use a domain service account for SQLAgent. However, the security inside an instance is a little mystery to me. According to [link text] the SQL Server Agent account must be a member of the sysadmin role. But a recently installed 2014 instance does not have a login for SQLAgent and everything is working fine, including mail (jobs are not owned by this service account) Q: Does a service account needs a login? And is a serverrole needed? :
You will have a few logins to your server in the form of NT SERVICE\SQLSERVERAGENT NT SERVICE\MSSQLSERVER Those logins map to the service and in turn the account which is running the service, if you look at the permissions of these they have sysadmin rights, so while you don't see an explicit login for the agent service account, it does by way of the NT SERVICE account have rights. This is done to get around the fact you may change you service accounts from time to time and forget to create a new login on the instance for it, so this captures that fact and allows for smooth running of the instance.