Setting Up Windows Service Accounts
Each service in SQL Server represents a process or a set of processes to manage authentication of SQL Server operations with Windows. This topic describes the default configuration of services in this release of SQL Server, and configuration options for SQL Server services that you can set during SQL Server installation.
Depending on the components that you decide to install, SQL Server Setup installs the following services:
SQL Server Database Services - The service for the SQL Server relational Database Engine.
SQL Server Agent - Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks.
Примечание
For SQL Server and SQL Server Agent to run as services in Windows, SQL Server and SQL Server Agent must be assigned a Windows user account. For more information about how to customize account information for each service, see How to: Install SQL Server 2008 R2 (Setup).
Analysis Services - Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications.
Reporting Services - Manages, executes, creates, schedules, and delivers reports.
Integration Services - Provides management support for Integration Services package storage and execution.
SQL Server Browser - The name resolution service that provides SQL Server connection information for client computers.
Full-text search - Quickly creates full-text indexes on content and properties of structured and semistructured data to provide document filtering and word-breaking for SQL Server.
SQL Server Active Directory Helper - Publishes and manages SQL Server services in Active Directory.
SQL Writer - Allows backup and restore applications to operate in the Volume Shadow Copy Service (VSS) framework.
Важно!
Always use SQL Server tools such as SQL Server Configuration Manager to change the account used by the SQL Server or SQL Server Agent services, or to change the password for the account. In addition to changing the account name, SQL Server Configuration Manager performs additional configuration such as setting permissions in the Windows Registry so that the new account can read the SQL Server settings. Other tools such as the Windows Services Control Manager can change the account name but do not change associated settings. If the service cannot access the SQL Server portion of the registry, the service may not start properly.
Важно!
For Analysis Services instances that you deploy in a SharePoint farm, always use SharePoint Central Administration to change the server accounts for PowerPivot service applications and the Analysis Services service. Associated settings and permissions are updated to use the new account information when you use Central Administration.
The remainder of this topic is divided into the following sections:
Configuring Service StartupType
Using Startup Accounts for SQL Server Services
Identifying Instance-Aware and Instance-Unaware Services
Reviewing NT Rights and Privileges Granted for SQL Server Service Accounts
Reviewing Access Control Lists Created for SQL Server Service Accounts
Reviewing Windows Permissions for SQL Server Services
Reviewing Additional Considerations
Localized Service Names
Configuring Service Startup Type
During SQL Server Setup, you can configure the startup type - disabled, manual, or automatic - for some SQL Server services. The following table shows the SQL Server services that can be configured during installation. For unattended installations, you can use the switches in a configuration file or at a command prompt.
SQL Server service name |
Configurable in Installation Wizard? |
Switches for unattended installations1 |
---|---|---|
MSSQLSERVER |
Yes |
SQLSVCACCOUNT, SQLSVCPASSWORD, SQLSVCSTARTUPTYPE |
SQLServerAgent2 |
Yes |
AGTSVCACCOUNT, AGTSVCPASSWORD, AGTSVCSTARTUPTYPE |
MSSQLServerOLAPService |
Yes |
ASSVCACCOUNT, ASSVCPASSWORD, ASSVCSTARTUPTYPE |
ReportServer |
Yes |
RSSVCACCOUNT, RSSVCPASSWORD, RSSVCSTARTUPTYPE |
Integration Services |
Yes |
ISSVCACCOUNT, ISSVCPASSWORD, ISSVCSTARTUPTYPE |
1For more information and sample syntax for unattended installations, see How to: Install SQL Server 2008 R2 from the Command Prompt.
2The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.
Using Startup Accounts for SQL Server Services
To start and run, each service in SQL Server must have an account configured during installation. Startup accounts used to start and run SQL Server can be built-in system accounts, local user accounts, or domain user accounts.
Domain User Account
If the service must interact with network services, access domain resources like file shares or if it uses linked server connections to other computers running SQL Server, you might use a minimally-privileged domain account. Many server-to-server activities can be performed only with a domain user account. This account should be pre-created by domain administration in your environment.
Local User Account
If the computer is not part of a domain, a local user account without Windows administrator permissions is recommended.
Local Service Account
The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services. The actual name of the account is "NT AUTHORITY\LOCAL SERVICE".
Network Service Account
The Network Service account is a built-in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account. The actual name of the account is "NT AUTHORITY\NETWORK SERVICE".
Local System Account
Local System is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. The actual name of the account is "NT AUTHORITY\SYSTEM".
In addition to having user accounts, every service has three possible startup states that users can control:
Disabled The service is installed but not currently running.
Manual The service is installed, but will start only when another service or application needs its functionality.
Automatic The service is automatically started by the operating system.
The following table shows optional accounts for each SQL Server service, and the startup states for each service.
SQL Server service name |
Optional accounts |
Startup type |
Default state following Setup |
---|---|---|---|
SQL Server |
SQL Server Express: Domain User, Local System, Network Service All other editions: Domain User, Local System, Network Service1 |
Automatic1 |
Started Stopped only if user chooses not to autostart. |
SQL Server Agent |
Domain User, Local System, Network Service1 |
Manual1,2 Automatic only if user chooses to autostart |
Stopped Started only if user chooses to autostart. |
Analysis Services |
Domain User, Network Service, Local Service, Local System1 4 |
Automatic1 |
Started Stopped only if user chooses not to autostart. |
Reporting Services |
Domain User, Local System, Network Service, Local Service |
Automatic |
Started Stopped only if user chooses not to autostart. |
Integration Services |
Domain User, Local System, Network Service, Local Service |
Automatic |
Started Stopped only if user chooses not to autostart. |
Full-Text Search |
Use an account different than the account for the SQL Server service. The account will default to Local Service on Windows Server 2008 and Windows Vista. |
Automatic |
Started Stopped only if an account is not specified on Windows Server 2003 or Windows XP. |
SQL Server Browser |
Local Service |
Disabled3 Automatic only if user chooses to autostart. |
Stopped Started only if user chooses to autostart. |
SQL Server Active Directory Helper |
Local System, Network Service |
Disabled |
Stopped |
SQL Writer |
Local System |
Automatic |
Started |
Important
1For failover cluster configurations, use the domain user account and the start up type is set to manual..
2The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.
3By default, for failover cluster installations and named instances, the SQL Server Browser is set to start automatically after Setup finishes.
4Analysis Services instances that you deploy in SharePoint integrated mode must run under domain user accounts. Setup will block installation if you specify a built-in account such as Network Service. Built-in accounts are not allowed for shared services in a farm.
Security Note Always run SQL Server services by using the lowest possible user rights. Use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported..
Supported Service Configurations
SQL Server uses a security group to set resource ACLs rather than using the service account directly, so changing the service account can be done without having to repeat the resource ACL process. The security group can be a local security group, a domain security group or a service SID.
During SQL Server installation, SQL Server Setup creates a service group for each SQL Server component. These groups simplify granting the permissions that are required to run SQL Server services and other executables, and help secure SQL Server files.
Depending on the service configuration, the service account for a service or service SID is added as a member of the service group during install or upgrade.
SQL Server enables per-service SID for each of its services on Windows Server 2008 or Windows Vista operating systems in SQL Server 2008 R2 to provide service isolation and defense in depth. The per-service SID is derived from the service name and is unique to that service. For example, a service SID name for SQL Server service might be NT Service\MSSQL$<InstanceName>. Service isolation enables access to specific objects without the need to run a high-privilege account or weaken the security protection of the object. By using an access control entry that contains a service SID, a SQL Server service can restrict access to its resources.
The following table shows the supported service configurations for new and upgraded installations on Windows Server 2008 or Windows Vista.
New installation |
Upgrade |
---|---|
|
|
The following table shows the service configurations for new and upgraded installations on Windows Server 2003 or Windows XP.
New installation |
Upgrade |
---|---|
|
|
For stand-alone instances of SQL Server on Windows Vista and Windows Server 2008 operating systems, service SIDs are added to the service group, and the service SID for SQL Server Engine and SQL Server Agent is added as a login to the Sysadmin server role.
For SQL Server failover cluster instances on Windows Vista and Windows Server 2008 operating systems, by default, SQL Server Setup uses the service SID and sets SQL Server and Operating System resource ACLs to the service SID.
Примечание
To use domain groups on a SQL Server failover cluster, they must be created before you run Setup. We recommend that you use unique domain groups when you install SQL Server services on a SQL Server failover cluster.
Changing Account Properties
To change the service accounts, password, service startup type, or other properties of any SQL Server–related service, use SQL Server Configuration Manager. For Reporting Services, use the Reporting Services Configuration Tool. For Analysis Services in a SharePoint farm, use SharePoint Central Administration. Note that renaming the instance of SQL Server does not rename SQL Server security groups. The security groups will continue to function with the old names after the renaming operation.
Identifying Instance-Aware and Instance-Unaware Services
Instance-aware services are associated with a specific instance of SQL Server, and have their own registry hives. You can install multiple copies of instance-aware services by running SQL Server Setup for each component or service. Instance-unaware services are shared among all installed SQL Server instances. They are not associated with a specific instance, are installed only once, and cannot be installed side-by-side.
Instance-aware services in SQL Server include the following:
SQL Server
SQL Server Agent
Be aware that the SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.
Analysis Services 1
Reporting Services
Full-text search
Instance-unaware services in SQL Server include the following:
Integration Services
SQL Server Browser
SQL Server Active Directory Helper
SQL Writer
1Analysis Services in SharePoint integrated mode runs as 'PowerPivot' as a single, named instance. The instance name is fixed. You cannot specify a different name. You can install only one instance of Analysis Services running as 'PowerPivot' on each physical server.
Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts
The following table shows the user groups that SQL Server Setup creates that are granted specific Windows NT user rights.
SQL Server service |
User group |
Default permissions granted by SQL Server Setup |
---|---|---|
SQL Server |
Default instance: SQLServerMSSQLUser$ComputerName$MSSQLSERVER Named instance: SQLServerMSSQLUser$ComputerName$InstanceName |
Log on as a service (SeServiceLogonRight)1 Replace a process-level token (SeAssignPrimaryTokenPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) Permission to start SQL Server Active Directory Helper Permission to start SQL Writer Permission to read the Event Log service Permission to read the Remote Procedure Call service
Important
For SQL Server instances on Windows Vista and higher, Log on as a service, Replace a process-level token, Bypass traverse checking, and Adjust memory quotas for a process user rights are granted to the SQL Server service SID.
|
SQL Server Agent3 |
Default instance: SQLServerSQLAgentUser$ComputerName$MSSQLSERVER Named instance: SQLServerSQLAgentUser$ComputerName$InstanceName |
Log on as a service (SeServiceLogonRight) Replace a process-level token (SeAssignPrimaryTokenPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) |
Analysis Services |
Default instance: SQLServerMSASUser$ComputerName$MSSQLSERVER Named instance: SQLServerMSASUser$ComputerName$InstanceName PowerPivot for SharePoint instance: SQLServerMSASUser$ComputerName$PowerPivot |
Log on as a service (SeServiceLogonRight) |
SSRS |
Default instance: SQLServerReportServerUser$ComputerName$MSRS10_50.MSSQLSERVER Named instance: SQLServerReportServerUser$ComputerName$MSRS10_50.InstanceName |
Log on as a service (SeServiceLogonRight) |
Integration Services |
Default or named instance: SQLServerDTSUser$ComputerName |
Log on as a service (SeServiceLogonRight) Permission to write to application event log. Bypass traverse checking (SeChangeNotifyPrivilege) Impersonate a client after authentication (SeImpersonatePrivilege) Permission to create global objects (SeCreateGlobalPrivilege) |
Full-text search |
Default instance: SQLServerFDHostUser$ ComputerName$MSSQL10_50.MSSQLSERVER Named instance: SQLServerFDHostUser$ComputerName$MSSQL10_50.InstanceName |
Log on as a service (SeServiceLogonRight)
Important
For SQL Server instances on Windows Vista and higher, the Log on as a service permission is granted to the FD Launcher service SID.
|
SQL Server Browser |
Default or named instance: SQLServerSQLBrowserUser$ComputerName |
Log on as a service (SeServiceLogonRight) |
SQL Server Active Directory Helper |
Default or named instance: SQLServerMSSQLServerADHelperUser$ComputerName |
None2 |
SQL Writer |
N/A |
None2 |
1This permission is granted by default to all SQL Server services.
2SQL Server Setup does not check or grant permissions for this service.
3The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.
Reviewing Access Control Lists Created for SQL Server Service Accounts
SQL Server service accounts must have access to resources. Access control lists are set at the user group level.
Важно!
For failover cluster installations, resources on shared disks must be set to an ACL for a local account.
The following table shows the ACLs that are set by SQL Server Setup:
Service account1 for |
Files and folders |
Access |
---|---|---|
MSSQLServer |
Instid\MSSQL\backup |
Full control |
|
Instid\MSSQL\binn |
Read, Execute |
|
Instid\MSSQL\data |
Full control |
|
Instid\MSSQL\FTData |
Full control |
|
Instid\MSSQL\Install |
Read, Execute |
|
Instid\MSSQL\Log |
Full control |
|
Instid\MSSQL\Repldata |
Full control |
|
100\shared |
Read, Execute |
|
Instid\MSSQL\Template Data (SQL Server Express only) |
Read |
SQLServerAgent2 |
Instid\MSSQL\binn |
Full control |
|
Instid\MSSQL\binn |
Full control |
|
Instid\MSSQL\Log |
Read, Write, Delete, Execute |
|
100\com |
Read, Execute |
|
100\shared |
Read, Execute |
|
100\shared\Errordumps |
Read, Write |
ServerName\EventLog |
Full control |
|
FTS |
Instid\MSSQL\FTData |
Full control |
|
Instid\MSSQL\FTRef |
Read, Execute |
|
100\shared |
Read, Execute |
|
100\shared\Errordumps |
Read, Write |
|
Instid\MSSQL\Install |
Read, Execute |
Instid\MSSQL\jobs |
Read, Write |
|
MSSQLServerOLAPservice |
100\shared\ASConfig |
Full control |
|
Instid\OLAP |
Read, Execute |
|
Instid\Olap\Data |
Full control |
|
Instid\Olap\Log |
Read, Write |
|
Instid\OLAP\Backup |
Read, Write |
|
Instid\OLAP\Temp |
Read, Write |
|
100\shared\Errordumps |
Read, Write |
SQLServerReportServerUser |
Instid\Reporting Services\Log Files |
Read, Write, Delete |
|
Instid\Reporting Services\ReportServer |
Read, Execute |
|
Instid\Reportingservices\Reportserver\global.asax |
Full control |
|
Instid\Reportingservices\Reportserver\Reportserver.config |
Read |
|
Instid\Reporting Services\reportManager |
Read, Execute |
|
Instid\Reporting Services\RSTempfiles |
Read, Write, Execute, Delete |
|
100\shared |
Read, Execute |
|
100\shared\Errordumps |
Read, Write |
MSDTSServer100 |
100\dts\binn\MsDtsSrvr.ini.xml |
Read |
|
100\dts\binn |
Read, Execute |
|
100\shared |
Read, Execute |
|
100\shared\Errordumps |
Read, Write |
SQL Server Browser |
100\shared\ASConfig |
Read |
|
100\shared |
Read, Execute |
|
100\shared\Errordumps |
Read, Write |
MSADHelper |
N/A (Runs under Network Service account) |
|
SQLWriter |
N/A (Runs as local system) |
|
User |
Instid\MSSQL\binn |
Read, Execute |
|
Instid\Reporting Services\ReportServer |
Read, Execute, List Folder Contents |
|
Instid\Reportingservices\Reportserver\global.asax |
Read |
|
Instid\Reporting Services\ReportManager |
Read, Execute |
|
Instid\Reporting Services\ReportManager\pages |
Read |
|
Instid\Reporting Services\ReportManager\Styles |
Read |
|
100\dts |
Read, Execute |
|
100\tools |
Read, Execute |
|
90\tools |
Read, Execute |
|
80\tools |
Read, Execute |
|
100\sdk |
Read |
|
Microsoft SQL Server\100\Setup Bootstrap |
Read, Execute |
1 For SQL Server failover clustering installation or SQL Server installation on a domain controller, ACLs will be set for the SQL Server service SID instead of being set for the SQL Server service group, on Windows Vista and Windows Server 2008 operating systems.
2The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.
Some access control permissions might have to be granted to built-in accounts or other SQL Server service accounts. The following table lists additional ACLs that are set by SQL Server Setup.
Requesting component |
Account |
Resource |
Permissions |
---|---|---|---|
MSSQLServer |
Performance Log Users |
Instid\MSSQL\binn |
List folder contents |
|
Performance Monitor Users |
Instid\MSSQL\binn |
List folder contents |
|
Performance Log Users, Performance Monitor Users |
\WINNT\system32\sqlctr100.dll |
Read, Execute |
|
Administrator only |
\\.\root\Microsoft\SqlServer\ServerEvents\<sql_instance_name>1 |
Full control |
|
Administrators, System |
\tools\binn\schemas\sqlserver\2004\07\showplan |
Full control |
|
Users |
\tools\binn\schemas\sqlserver\2004\07\showplan |
Read, Execute |
Reporting Services |
<Report Server Web Service Account> |
<install>\Reporting Services\LogFiles |
DELETE READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES |
|
Report Manager Application pool identity, ASP.NET account, Everyone |
<install>\Reporting Services\ReportManager, <install>\Reporting Services\ReportManager\Pages\*.*, <install>\Reporting Services\ReportManager\Styles\*.*, <install>\Reporting Services\ReportManager\webctrl_client\1_0\*.* |
Read |
|
Report Manager Application pool identity |
<install>\Reporting Services\ReportManager\Pages\*.* |
Read |
|
<Report Server Web Service Account> |
<install>\Reporting Services\ReportServer |
Read |
|
<Report Server Web Service Account> |
<install>\Reporting Services\ReportServer\global.asax |
Full |
|
Everyone |
<install>\Reporting Services\ReportServer\global.asax |
READ_CONTROL FILE_READ_DATA FILE_READ_EA FILE_READ_ATTRIBUTES |
|
Network service |
<install>\Reporting Services\ReportServer\ReportService.asmx |
Full |
|
Everyone |
<install>\Reporting Services\ReportServer\ReportService.asmx |
READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_EXECUTE FILE_READ_DATA FILE_READ_EA FILE_EXECUTE FILE_READ_ATTRIBUTES |
|
ReportServer Windows Services Account |
<install>\Reporting Services\ReportServer\RSReportServer.config |
DELETE READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES |
|
Everyone |
Report Server keys (Instid hive) |
Query Value Enumerate SubKeys Notify Read Control |
|
Terminal Services User |
Report Server keys (Instid hive) |
Query Value Set Value Create SubKey Enumerate SubKey Notify Delete Read Control |
|
Power Users |
Report Server keys (Instid hive) |
Query Value Set Value Create Subkey Enumerate Subkeys Notify Delete Read Control |
1This is the WMI provider namespace.
Reviewing Windows Permissions for SQL Server Services
The following table shows service names, the term that is used to refer to the default and named instances of SQL Server services, a description of the service function, and the required minimum permissions.
Display name |
Service name |
Description |
Required permissions |
---|---|---|---|
SQL Server (InstanceName) |
Default instance: MSSQLSERVER Named instance: MSSQL$InstanceName |
SQL Server Database Engine. The path of the executable file is \MSSQL\Binn\sqlservr.exe. |
Local user or domain user account is recommended. Log on as a service (SeServiceLogonRight).1 Replace a process-level token (SeAssignPrimaryTokenPrivilege). Bypass traverse checking (SeChangeNotifyPrivilege). Adjust memory quotas for a process (SeIncreaseQuotaPrivilege). Permission to start SQL Server Active Directory Helper. Permission to start SQL Writer. Permission to read the Event Log service. Permission to read the Remote Procedure Call service.
Minimum permissionsFunctionality
MSSQLServer service startup account
The account must be in the list of accounts that have List Folder permissions on the root drive where SQL Server is installed. It must also be on the root of any other drive where SQL Server files are stored.
Note
The "List Folder" permissions on the root drive do not have to be inherited by the subfolders.
MSSQLServer service startup accountThe account must have Full Control permissions over any folders where data or log files (.mdf, .ndf, .ldf) will reside.
|
SQL Server Agent (InstanceName)1 |
Default instance: SQLServerAgent Named instance: SQLAgent$InstanceName |
Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks. The path of the executable file is \MSSQL\Binn\sqlagent.exe. |
Minimum permissionsFunctionality
The account must be a member of the sysadmin fixed server role.
The account must have the following Windows permissions:Log on as a service. Replace a process-level token. Adjust memory quotas for a process. Bypass traverse checking.
|
Analysis Services Services (InstanceName) |
Default instance: MSSQLServerOLAPService Named instance: MSOLAP$InstanceName |
The service that provides online analytical processing (OLAP) and data mining functionality for business intelligence applications. The path of the executable file is \OLAP\Bin\msmdsrv.exe. |
|
Reporting Services |
Default instance: ReportServer Named instance: ReportServer$InstanceName |
Manages, executes, creates, schedules, and delivers reports. The path of the executable is \Reporting Services\ReportServer\Bin\ReportingServicesService.exe. |
|
Integration Services |
Default or named instance: MSDTSServer |
Provides management support for Integration Services package storage and execution. The path of the executable file is \DTS\Binn\msdtssrvr.exe. |
|
Full-text search |
Default or named instance: SQL Full-text Filter Daemon Launcher |
Service to launch the full-text filter daemon process to perform document filtering and word breaking for SQL Server full-text search. |
|
SQL Server Browser |
Default or named instance: SQLBrowser |
The name resolution service that provides SQL Server connection information for client computers. This service is shared across multiple SQL Server and SSIS instances. The path of the executable file is <drive>:\Program Files\Microsoft SQL Server\100\Shared\sqlbrowser.exe. |
|
SQL Server Active Directory Helper |
Default or named instance: MSSQLServerADHelper. |
Publishes and manages SQL Server services in Windows Active Directory. The path of the executable is <drive>:\Program Files\Microsoft SQL Server\100\Shared\sqladhelper.exe. |
|
SQL Writer |
SQLWriter |
Allows backup and restore applications to operate in the Volume Shadow Copy Service framework. There is a single instance of the SQL Writer service for all instances of SQL Server on the server. The path of the executable file is <drive>:\Program Files\Microsoft SQL Server\100\Shared\sqlwriter.exe. |
|
1The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.
Reviewing Additional Considerations
The following table shows the permissions that are required for SQL Server services to provide additional functionality.
Service/Application |
Functionality |
Required permission |
---|---|---|
SQL Server (MSSQLSERVER) |
Write to a mail slot using xp_sendmail. |
Network write permissions. |
SQL Server (MSSQLSERVER) |
Run xp_cmdshell for a user other than a SQL Server administrator. |
Act as part of operating system and replace a process-level token. |
SQL Server Agent (MSSQLSERVER) |
Use the autorestart feature. |
Must be a member of the Administrators local group. |
Database Engine Tuning Advisor |
Tunes databases for optimal query performance. |
On first use, a user who has system administrative credentials must initialize the application. After initialization, dbo users can use the Database Engine Tuning Advisor to tune only those tables that they own. For more information, see "Initializing Database Engine Tuning Advisor on First Use" in SQL Server Books Online. |
Важно!
Before you upgrade SQL Server, enable Windows Authentication for SQL Server Agent and verify the required default configuration: that the SQL Server Agent service account is a member of the SQL Server sysadmin group.
Localized Service Names
The following table shows service names that are displayed by localized versions of Windows.
Language |
Name for Local Service |
Name for Network Service |
Name for Local System |
Name for Admin Group |
---|---|---|---|---|
English Simplified Chinese Traditional Chinese Korean Japanese |
NT AUTHORITY\LOCAL SERVICE |
NT AUTHORITY\NETWORK SERVICE |
NT AUTHORITY\SYSTEM |
BUILTIN\Administrators |
German |
NT-AUTORITÄT\LOKALER DIENST |
NT-AUTORITÄT\NETZWERKDIENST |
NT-AUTORITÄT\SYSTEM |
VORDEFINIERT\Administratoren |
French |
AUTORITE NT\SERVICE LOCAL |
AUTORITE NT\SERVICE RÉSEAU |
AUTORITE NT\SYSTEM |
BUILTIN\Administrateurs |
Italian |
NT AUTHORITY\SERVIZIO LOCALE |
NT AUTHORITY\SERVIZIO DI RETE |
NT AUTHORITY\SYSTEM |
BUILTIN\Administrators |
Spanish |
NT AUTHORITY\SERVICIO LOC |
NT AUTHORITY\SERVICIO DE RED |
NT AUTHORITY\SYSTEM |
BUILTIN\Administradores |
Russian |
NT AUTHORITY\LOCAL SERVICE |
NT AUTHORITY\NETWORK SERVICE |
NT AUTHORITY\SYSTEM |
BUILTIN\Администраторы |