question

SailAway avatar image
SailAway asked

Accounts created when SQL Server 2008 installed on Win2008

We have installed SQL Server 2008 on a Win2008 server. We use a domain\SQLServices account for both the instance service and the Agent. When we looked at the accounts created in the new instance, we found: NT SERVICE\MSSQLSERVER and NT SERVICE\SQLSERVERAGENT both with Sysadmin privs. What are these used for? Why don't we see the domain\SQLServices account that is running the services added? We found this article - http://support.microsoft.com/kb/955763 that warns against removing these accounts, but I can't find additional docs on the 2 accounts. Thanks!

sql-server-2008securityinstallation
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

2 Answers

·
Rob Farley avatar image
Rob Farley answered

Aren't those the IDs associated with the groups that contain the account domain\SQLServices? Ie... if you go to the "Local Users & Groups" section of Computer Management, you will see a bunch of groups in there, as a way of assigning sufficient permission to a user to run the particular service.

So if you look in the group for SQL Agent, you should see your SQLServices account in there. If you go into SQL Config Mgr and change the service account for SQL Agent, you should see the SQLServices account removed from that group and the new account put in. This is how the system lets you use a low privilege account for those services.

To be able to run the SQL & SQL Agent services, the accounts used need to be in the sysadmin role. But that's okay, because no-one other than the service should be logging on as that account.

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

SailAway avatar image SailAway commented ·
You're right I do see the NT SERVICE\SQLSERVERAGENT in the OS groups created for SQL Agent. However, we used to see the domain\account in this group. Where is that connection? In otherwords where do I see that domain\account is a member of NT SERVICE\SQLSERVERAGENT?
0 Likes 0 ·
alex 3 avatar image
alex 3 answered

the service for SQL does not need to be sysadmin.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.