SQL Server Group accounts

SQL Server 2005 and later versions expect the service accounts be changed using Configuration manager and not through Services.msc

The configuration manager does perform other activities such as adding the service accounts to the Groups and this way you don't have to grant access to individual service accounts. 

The group accounts in SQL Server are

SQLServerMSSQLUser$ComputerName$MSSQLSERVER (For SQL Server Service Account)

SQLServerSQLAgentUser$ComputerName$MSSQLSERVER (For SQL Server Agent Account)

SQLServer2005MSFTEUser$ComputerName$MSSQLSERVER (For SQL Server FT account)

their SID's for each of the above accounts are stored in the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\FTSGroup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLGroup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\AgtGroup

To get the SID's of group accounts either from the local system or from a Domain, use the utility PSGETSID

PSGETSID groupname

PSGETSID is part of the PSTools and can be downloaded from

https://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

Service accounts for Integration services and browser is determined by SQL Server at runtime and is not associated with a SID

At runtime SQL Server concantenates SQLServer2005DTSUser$ with the machine name from the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\90\Machines\OriginalMachineName

The full group name for Integration services is in the form SQLServer2005DTSUser$ ComputerName

The same applies for Browser account SQLServer2005SQLBrowserUser$

The full group name for Browser account is in the form SQLServer2005SQLBrowserUser$ ComputerName

For further info on setting up Windows Service Accounts refer https://msdn.microsoft.com/en-us/library/ms143504.aspx

Comments

• Anonymous
  June 15, 2009
  PingBack from http://edebtsettlementprogram.info/story.php?id=24476