asked
Does a service account requires a serverrole?
I'm a little confused about setting the security for a service account at instance level. There's a lot of documentation about best practices for setting up a service account and I use a domain service account for SQLAgent. However, the security inside an instance is a little mystery to me. According to [link text][1] the SQL Server Agent account must be a member of the sysadmin role. But a recently installed 2014 instance does not have a login for SQLAgent and everything is working fine, including mail (jobs are not owned by this service account) Q: Does a service account needs a login? And is a serverrole needed? [1]:
https://docs.microsoft.com/en-us/sql/ssms/agent/set-service-startup-account-sql-server-agent-sql-server-configuration-manager
You will have a few logins to your server in the form of NT SERVICE\SQLSERVERAGENT NT SERVICE\MSSQLSERVER Those logins map to the service and in turn the account which is running the service, if you look at the permissions of these they have sysadmin rights, so while you don't see an explicit login for the agent service account, it does by way of the NT SERVICE account have rights. This is done to get around the fact you may change you service accounts from time to time and forget to create a new login on the instance for it, so this captures that fact and allows for smooth running of the instance.
Thanks for your reply. So even if I have a domain account to start my SQLAgent service, it's actually using NT SERVICE\SQLSERVERAGENT? I don't see this account as a spid, but I do see the domain account as a spid
Yes, it acts sort of like a proxy. So you see the SPIDs logged in as the actual service account, but the permission is proxied from the NT SERVICE server principal through to the account set at the service level.
18 People are following this question.
