SQL Service Account group policy permissions

Bablu Pandet 1 Reputation point
2022-08-24T11:37:46.49+00:00

I'm trying to establish the best practise standards for configuring service account permissions in Group Policy. Based on Microsoft documentation, SQL Server setup requests permissions for the per-service SIDs or local Windows groups used by SQL Server components. E.g.

SQL Server Database Engine:

The Default instance: NT SERVICE\MSSQLSERVER.Named instance: NT Service\MSSQL$<instance_name> is granted the permissions below during SQL Server setup. The local group policy permissions are visible under user rights assignment.

· Log on as a service (SeServiceLogonRight)

·Replace a process-level token (SeAssignPrimaryTokenPrivilege)

· Bypass traverse checking (SeChangeNotifyPrivilege)

·Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

SQL Server Agent

Default instance: NT Service\SQLSERVERAGENT. Named instance: NT Named instance: NT Service\SQLAGENT$<instance_name>.) is granted the following permissions during setup.

·Log on as a service (SeServiceLogonRight)

· Replace a process-level token (SeAssignPrimaryTokenPrivilege)

·Bypass traverse checking (SeChangeNotifyPrivilege)

·Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

I also noticed that the SQL Service and Agent start-up accounts are also automatically granted “Log on as a service” permissions during setup.

Question

Is anyone using domain level group policy to apply the above permissions to the service start-up accounts-(e.g. gMSA’s) + per service SID? Trying to determine if there is any benefit of using domain group policy to enforce these permissions on SQL Server VM’s rather than relying on the local group policy permissions assigned by SQL Server during setup ?

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,808 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Seeya Xi-MSFT 16,446 Reputation points
    2022-08-25T06:52:09.48+00:00

    Hi @Bablu Pandet ,

    Welcome to Microsoft Q&A!
    Group Managed Service accounts (gMSAs) are a way to avoid much work. They are special accounts that are created in Active Directory and can then be assigned as service accounts. They are completely managed by Active Directory, including their passwords. This means no more manual work to meet the password-changing policy–the machine takes care of that for you.
    I suggest you to read this article: Let’s Talk About Group Managed Service Accounts
    Here are related blogs about how to use Group Managed Service Accounts with SQL Server:
    https://www.sqlshack.com/using-group-managed-service-accounts-with-sql-server/
    https://www.mssqltips.com/sqlservertip/5340/using-group-managed-service-accounts-with-sql-server/

    Best regards,
    Seeya

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments