Configure file system permissions for Database Engine access

Applies to: SQL Server - Windows only

This article describes how to grant the SQL Server Database Engine file system access to the location where database files are stored. The Database Engine service must have permission of the Windows file system to access the file folder where database files are stored. Permission to the default location is configured during setup. If you place your database files in a different location, you must follow these steps to grant the Database Engine the full control permission to that location.

In SQL Server 2012 (11.x) and later versions, permissions are assigned to the per-service security identifier (SID) for each of its services. This system helps provide service isolation and defense in depth. The per-service SID is derived from the service name and is unique to each service. The article Configure Windows service accounts and permissions describes the per-service SID and provides the names in the section Windows Privileges and Rights. It's the per-service SID that must be assigned the access permission on the file location.

Grant file system permission to the per-service SID

  1. Using Windows Explorer, navigate to the file system location where the database files are stored. Right-click the file system folder, and then select Properties.

  2. On the Security tab, select Edit, and then Add.

  3. In the Select Users, Computer, Service Account, or Groups dialog box, select Locations, at the top of the location list, select your computer name, and then select OK.

  4. In the Enter the object names to select box, type the name of the per-service SID name. To locate it, see Configure Windows service accounts and permissions. (For the Database Engine per service SID name, use NT SERVICE\MSSQLSERVER for a default instance, or NT SERVICE\MSSQL$<InstanceName> for a named instance.)

  5. Select Check Names to validate the entry. (If the validation fails, it might advise you that the name wasn't found. When you select OK, a Multiple Names Found dialog box appears. Now select the per-service SID name, either NT SERVICE\MSSQLSERVER or NT SERVICE\MSSQL$<InstanceName>, and then select OK. Select OK again to return to the Permissions dialog box.)

  6. In the Group or user names box, select the per-service SID name, and then in the Permissions for <name> box, select the Allow check box for Full control.

  7. Select Apply, and then select OK twice to exit.