SQL Server startup account permission

sakuraime 2,321 Reputation points
2021-09-30T02:00:08.31+00:00

I install sql server and have a custom domain account to start up , domain\usera

but I found domain\usera is not in the following group . (and my sql server is working fine)

Replace a process level token
Bypass traverse checking
Adjust memory quotas for a process

https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver15

I just would like to have a look to see if these accounts permission is still a compulsory? ANd what's the usage for each one ?

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,322 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Stratos Matzouranis 36 Reputation points
    2021-09-30T06:33:39.483+00:00

    These are the correct ones:

    Act as part of the operating system
    Lock Pages in Memory
    Perform Volume Maintenance Tasks
    Bypass Traverse Checking
    Replace A Process Level Token
    Adjust Memory Quotas For A Process

    0 comments No comments

  2. CathyJi-MSFT 21,126 Reputation points Microsoft Vendor
    2021-09-30T06:36:10.127+00:00

    Hi @sakuraime ,

    Replace a process level token

    Replace a process level token setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler, where the user right is extended to any processes that can be managed by Task Scheduler.

    Bypass traverse checking

    This policy setting determines which users (or a process that acts on behalf of the user’s account) have permission to navigate an object path in the NTFS file system or in the registry without being checked for the Traverse Folder special access permission. This user right does not allow the user to list the contents of a folder. It only allows the user to traverse folders to access permitted files or subfolders.

    Adjust memory quotas for a process

    This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.

    This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers.

    By the way, did your SQL server instance default service account be added in this policy as below screenshot?
    136545-screenshot-2021-09-30-145716.jpg


    If the response is helpful, please click "Accept Answer" and upvote it, as this could help other community members looking for similar thread.


  3. MRKALIRAI 1 Reputation point
    2021-09-30T09:14:37.103+00:00

    ***hi guys! just a "noobie" here! could you guys please explain the benefits and point of sql or running ssh on ports and all that good stuff! please and thank you, HIGHLY appreciated **strong text*****