Dela via


Selecting an Account for the SQL Server Agent Service

The service startup account defines the Microsoft Windows account in which SQL Server Agent runs and its network permissions. SQL Server Agent runs as a specified user account. For compatibility with earlier versions of SQL Server, SQL Server Agent can also run as the Local System account.

You select an account for the SQL Server Agent service by using SQL Server Configuration Manager, where you can choose from the following options:

  • Built-in account. You can choose from a list of the following built-in Windows service accounts:

    • Local System account. The name of this account is NT AUTHORITY\System. It is a powerful account that has unrestricted access to all local system resources. It is a member of the Windows Administrators group on the local computer, and is therefore a member of the SQL Server sysadmin fixed server role

      Security noteSecurity Note

      The Local System account option is provided for backward compatibility only. The Local System account has permissions that SQL Server Agent does not require. Avoid running SQL Server Agent as the Local System account. For improved security, use a Windows domain account with the permissions listed in the following section, "Windows Domain Account Permissions."

    • Network Service account. The name of this account is NT AUTHORITY\NetworkService. It is available in Microsoft Windows XP and Microsoft Windows Server 2003. All services that run under the Network Service account are authenticated to network resources as the local computer.

      Security noteSecurity Note

      Because multiple services can use the Network Service account, it is difficult to control which services have access to network resources, including SQL Server databases. We do not recommend using the Network Service account for the SQL Server Agent service.

      Important

      Do not select the Local Service account. The SQL Server Agent service cannot be run under this account. It is not supported. The name of this account is NT AUTHORITY\LocalService, and it accesses network resources as a null session with no credentials. It is available in Microsoft Windows XP and Microsoft Windows Server 2003.

  • This account. Lets you specify the Windows domain account in which the SQL Server Agent service runs. We recommend choosing a Windows user account that is not a member of the Windows Administrators group. However, there are limitations for using multiserver administration when the SQL Server Agent service account is not a member of the local Administrators group. For more information, see Service Account Types Supported for SQL Server Agent.

For information about what SQL Server Agent functionality is supported for the various service account types, see Service Account Types Supported for SQL Server Agent.

Windows Domain Account Permissions

For improved security, select This account, which specifies a Windows domain account. The Windows domain account that you specify must have the following permissions:

  • In all Windows versions, permission to log on as a service (SeServiceLogonRight)

Note

The SQL Server Agent service account must be part of the Pre-Windows 2000 Compatible Access group on the domain controller, or jobs that are owned by domain users who are not members of the Windows Administrators group will fail.

  • In Windows servers, the account that the SQL Server Agent Service runs as requires the following permissions to be able to support SQL Server Agent proxies.

    • Permission to act as part of the operating system (SeTcbPrivilege) (only on Windows 2000)

    • Permission to bypass traverse checking (SeChangeNotifyPrivilege)

    • Permission to replace a process-level token (SeAssignPrimaryTokenPrivilege)

    • Permission to adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

    • Permission to log on using the batch logon type (SeBatchLogonRight)

Note

If the account does not have the permissions required to support proxies, only members of the sysadmin fixed server role can create jobs.

Note

To receive WMI alert notification, the service account for SQL Server Agent must have been granted permission to the namespace that contains the WMI events, and ALTER ANY EVENT NOTIFICATION.

SQL Server Role Membership

The account that the SQL Server Agent service runs as must be a member of the following SQL Server roles:

  • The account must be a member of the sysadmin fixed server role.

  • To use multiserver job processing, the account must be a member of the msdb database role TargetServersRole on the master server.

Windows Group Membership

  • The account in which the SQL Server Agent service runs must be a member of the following Windows group:

  • The account must be a member of the Pre-Windows 2000 Compatible Access group on the domain controller to run jobs for users that are not members of the Administrators group.

    Security noteSecurity Note

    For improved security, the SQL Server Agent service account should not be a member of the local Administrators group. However, there are limitations for using multiserver administration when the SQL Server Agent service account is not a member of the local Administrators group. For more information, see Service Account Types Supported for SQL Server Agent.

Common Tasks

To specify the startup account for the SQL Server Agent service

To specify the mail profile for SQL Server Agent

Note

Use SQL Server Configuration Manager to specify that SQL Server Agent must start up when the operating system starts.