We have installed SQL Server 2008 on a Win2008 server. We use a domain\SQLServices account for both the instance service and the Agent. When we looked at the accounts created in the new instance, we found: NT SERVICE\MSSQLSERVER and NT SERVICE\SQLSERVERAGENT both with Sysadmin privs. What are these used for? Why don't we see the domain\SQLServices account that is running the services added? We found this article - http://support.microsoft.com/kb/955763 that warns against removing these accounts, but I can't find additional docs on the 2 accounts. Thanks!
asked Dec 16, 2009 at 06:21 PM in Default
Aren't those the IDs associated with the groups that contain the account domain\SQLServices? Ie... if you go to the "Local Users & Groups" section of Computer Management, you will see a bunch of groups in there, as a way of assigning sufficient permission to a user to run the particular service.
So if you look in the group for SQL Agent, you should see your SQLServices account in there. If you go into SQL Config Mgr and change the service account for SQL Agent, you should see the SQLServices account removed from that group and the new account put in. This is how the system lets you use a low privilege account for those services.
To be able to run the SQL & SQL Agent services, the accounts used need to be in the sysadmin role. But that's okay, because no-one other than the service should be logging on as that account.
answered Dec 16, 2009 at 11:15 PM
the service for SQL does not need to be sysadmin.
answered May 28, 2010 at 10:47 AM