Configure Windows Service Accounts and Permissions Page 1 of 28

Configure Windows Service Accounts

and Permissions
SQL Server 2012

Each service in SQL Server represents a process or a set of processes to manage authentication of
SQL Server operations with Windows. This topic describes the default configuration of services in
this release of SQL Server, and configuration options for SQL Server services that you can set
during and after SQL Server installation.

Contents
This topic is divided into the following sections:

Services Installed by SQL Server

Service Properties and Configuration

Default Service Accounts

Changing Account Properties

New Account Types Available with Windows 7 and Windows Server 2008 R2

Automatic Startup

Configuring Services During Unattended Installation

Firewall Port

Service Permissions

Service Configuration and Access Control

Windows Privileges and Rights

File System Permissions Granted to SQL Server Per-service SIDs or Local Windows
Groups

File System Permission Granted to Other Windows User Accounts or Groups

File System Permissions Related to Unusual Disk Locations

Reviewing Additional Considerations

Registry Permissions

WMI

Named Pipes

Provisioning

Database Engine Provisioning

Windows Principals

sa Account

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 2 of 28

SQL Server Per-service SID Login and Privileges

SQL Server Agent Login and Privileges

HADRON and SQL Failover Cluster Instance and Privileges

SQL Writer and Privileges

SQL WMI and Privileges

SSAS Provisioning

SSRS Provisioning

Upgrading From Previous Versions

Appendix

Description of Service Accounts

Identifying Instance-Aware and Instance-Unaware Services

Localized Service Names

Services Installed by SQL Server

Depending on the components that you decide to install, SQL Server Setup installs the following
services:

SQL Server Database Services - The service for the SQL Server relational Database
Engine. The executable file is <MSSQLPATH>\MSSQL\Binn\sqlservr.exe.

SQL Server Agent - Executes jobs, monitors SQL Server, fires alerts, and enables
automation of some administrative tasks. The SQL Server Agent service is present but
disabled on instances of SQL Server Express. The executable file is
<MSSQLPATH>\MSSQL\Binn\sqlagent.exe.

Analysis Services - Provides online analytical processing (OLAP) and data mining
functionality for business intelligence applications. The executable file is
<MSSQLPATH>\OLAP\Bin\msmdsrv.exe.

Reporting Services - Manages, executes, creates, schedules, and delivers reports. The
executable file is <MSSQLPATH>\Reporting
Services\ReportServer\Bin\ReportingServicesService.exe.

Integration Services - Provides management support for Integration Services package

storage and execution. The executable path is <MSSQLPATH>\110
\DTS\Binn\MsDtsSrvr.exe

SQL Server Browser - The name resolution service that provides SQL Server connection
information for client computers. The executable path is c:\Program Files (x86)\Microsoft
SQL Server\90\Shared\sqlbrowser.exe

Full-text search - Quickly creates full-text indexes on content and properties of structured
and semistructured data to provide document filtering and word-breaking for SQL Server.

SQL Writer - Allows backup and restore applications to operate in the Volume Shadow
Copy Service (VSS) framework.

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 3 of 28

SQL Server Distributed Replay Controller - Provides trace replay orchestration across
multiple Distributed Replay client computers.

SQL Server Distributed Replay Client - One or more Distributed Replay client computers
that work together with a Distributed Replay controller to simulate concurrent workloads
against an instance of the SQL Server Database Engine.

Top

Service Properties and Configuration

Startup accounts used to start and run SQL Server can be domain user accounts, local user
accounts, managed service accounts, virtual accounts, or built-in system accounts. To start and
run, each service in SQL Server must have a startup account configured during installation.

This section describes the accounts that can be configured to start SQL Server services, the
default values used by SQL Server Setup, the concept of per-service SID’s, the startup options,
and configuring the firewall.

Default Service Accounts

Automatic Startup

Configuring Service StartupType

Firewall Port

Default Service Accounts

The following table lists the default service accounts used by setup when installing all
components. The default accounts listed are the recommended accounts, except as noted.

Stand-alone Server or Domain Controller

Windows Vista and Windows Windows 7 and Windows

Component
Server 2008 Server 2008 R2

Database Engine NETWORK SERVICE *

Virtual Account

SQL Server Agent NETWORK SERVICE *

Virtual Account

SSAS NETWORK SERVICE *

Virtual Account

SSIS NETWORK SERVICE *

Virtual Account

SSRS NETWORK SERVICE Virtual Account *

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 4 of 28

SQL Server Distributed Replay

Controller
NETWORK SERVICE Virtual Account *

SQL Server Distributed Replay

Client
NETWORK SERVICE Virtual Account *

FD Launcher (Full-text
LOCAL SERVICE Virtual Account
Search)

SQL Server Browser LOCAL SERVICE LOCAL SERVICE

SQL Server VSS Writer LOCAL SYSTEM LOCAL SYSTEM

*
When resources external to the SQL Server computer are needed, Microsoft recommends using
a Managed Service Account (MSA), configured with the minimum privileges necessary.

SQL Server Failover Cluster Instance

Component Windows Server 2008 Windows Server 2008 R2

None. Provide a domain user Provide a domain user

Database Engine
account. account.

None. Provide a domain user Provide a domain user

SQL Server Agent
account. account.

None. Provide a domain user Provide a domain user

SSAS
account. account.

SSIS NETWORK SERVICE Virtual Account

SSRS NETWORK SERVICE Virtual Account

FD Launcher (Full-text
LOCAL SERVICE Virtual Account
Search)

SQL Server Browser LOCAL SERVICE LOCAL SERVICE

SQL Server VSS Writer LOCAL SYSTEM LOCAL SYSTEM

Top

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 5 of 28

Changing Account Properties

Important

Always use SQL Server tools such as SQL Server Configuration Manager to change the
account used by the SQL Server Database Engine or SQL Server Agent services, or to
change the password for the account. In addition to changing the account name, SQL
Server Configuration Manager performs additional configuration such as updating the
Windows local security store which protects the service master key for the Database
Engine. Other tools such as the Windows Services Control Manager can change the
account name but do not change all the required settings.

For Analysis Services instances that you deploy in a SharePoint farm, always use
SharePoint Central Administration to change the server accounts for PowerPivot service
applications and the Analysis Services service. Associated settings and permissions are
updated to use the new account information when you use Central Administration.

To change Reporting Services options, use the Reporting Services Configuration Tool.

Top

New Account Types Available with Windows 7 and Windows Server 2008 R2

Windows 7 and Windows Server 2008 R2 have two new types of service accounts called managed
service accounts (MSA) and virtual accounts. Managed service accounts and virtual accounts are
designed to provide crucial applications such as SQL Server with the isolation of their own
accounts, while eliminating the need for an administrator to manually administer the Service
Principal Name (SPN) and credentials for these accounts. These make long term management of
service account users, passwords and SPNs much easier.

Managed Service Accounts

A Managed Service Account (MSA) is a type of domain account created and managed by
the domain controller. It is assigned to a single member computer for use running a
service. The password is managed automatically by the domain controller. You cannot use a
MSA to log into a computer, but a computer can use a MSA to start a Windows service. An
MSA has the ability to register Service Principal Name (SPN) with the Active Directory. A
MSA is named with a $ suffix, for example DOMAIN\ACCOUNTNAME$. When specifying a
MSA, leave the password blank.

Note

The MSA must be created in the Active Directory by the domain administrator before
SQL Server setup can use it for SQL Server services.

Virtual Accounts

Virtual accounts in Windows Server 2008 R2 and Windows 7 are managed local accounts
that provide the following features to simplify service administration. The virtual account is
auto-managed, and the virtual account can access the network in a domain environment. If
the default value is used for the service accounts during SQL Server setup on Windows
Server 2008 R2 or Windows 7, a virtual account using the instance name as the service

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 6 of 28

name is used, in the format NT SERVICE\<SERVICENAME>. Services that run as virtual

accounts access network resources by using the credentials of the computer account in the
format <domain_name>\<computer_name>$. When specifying a virtual account to start
SQL Server, leave the password blank.

Note

Virtual accounts cannot be used for SQL Server Failover Cluster Instance, because the
virtual account would not have the same SID on each node of the cluster.

The following table lists examples of virtual account names.

Service Virtual Account Name

Default instance of the Database Engine service NT SERVICE\MSSQLSERVER

Named instance of a Database Engine service named

NT SERVICE\MSSQL$PAYROLL
PAYROLL

SQL Server Agent service on the default instance of

NT SERVICE\SQLSERVERAGENT
SQL Server

SQL Server Agent service on an instance of SQL NT

Server named PAYROLL SERVICE\SQLAGENT$PAYROLL

For more information on Managed Service Accounts and Virtual Accounts, see the Managed
service account and virtual account concepts section of Service Accounts Step-by-Step
Guide1 and Managed Service Accounts Frequently Asked Questions (FAQ)2.

Security Note Always run SQL Server services by using the lowest possible user rights. Use a
MSA or virtual account when possible. When MSA and virtual accounts are not possible, use a
specific low-privilege user account or domain account instead of a shared account for SQL Server
services. Use separate accounts for different SQL Server services. Do not grant additional
permissions to the SQL Server service account or the service groups. Permissions will be granted
through group membership or granted directly to a service SID, where a service SID is
supported.

Automatic Startup

In addition to having user accounts, every service has three possible startup states that users
can control:

Disabled The service is installed but not currently running.

Manual The service is installed, but will start only when another service or application
needs its functionality.

Automatic The service is automatically started by the operating system.

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 7 of 28

The startup state is selected during setup. When installing a named instance, the SQL Server
Browser service should be set to start automatically.

Configuring Services During Unattended Installation

The following table shows the SQL Server services that can be configured during installation. For
unattended installations, you can use the switches in a configuration file or at a command
prompt.

SQL Server service name 1

Switches for unattended installations

MSSQLSERVER SQLSVCACCOUNT, SQLSVCPASSWORD, SQLSVCSTARTUPTYPE

2 AGTSVCACCOUNT, AGTSVCPASSWORD, AGTSVCSTARTUPTYPE

SQLServerAgent

MSSQLServerOLAPService ASSVCACCOUNT, ASSVCPASSWORD, ASSVCSTARTUPTYPE

ReportServer RSSVCACCOUNT, RSSVCPASSWORD, RSSVCSTARTUPTYPE

Integration Services ISSVCACCOUNT, ISSVCPASSWORD, ISSVCSTARTUPTYPE

SQL Server Distributed Replay DRU_CTLR, CTLRSVCACCOUNT,CTLRSVCPASSWORD,

Controller CTLRSTARTUPTYPE, CTLRUSERS

DRU_CLT, CLTSVCACCOUNT, CLTSVCPASSWORD,

SQL Server Distributed Replay
CLTSTARTUPTYPE, CLTCTLRNAME, CLTWORKINGDIR,
Client
CLTRESULTDIR

1For more information and sample syntax for unattended installations, see Install SQL Server
3
2012 from the Command Prompt .

2The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server
Express with Advanced Services.

Firewall Port

In most cases, when initially installed, the Database Engine can be connected to by tools such as
SQL Server Management Studio installed on the same computer as SQL Server. For more
4
information, see Lesson 1: Connecting to the Database Engine . SQL Server Setup does not open
ports in the Windows firewall. Connections from other computers may not be possible until the
Database Engine is configured to listen on a TCP port, and the appropriate port is opened for
connections in the Windows firewall. For more information, see Lesson 2: Connecting from
5 6
Another Computer and Configure the Windows Firewall to Allow SQL Server Access .

Top

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 8 of 28

Service Permissions
This section describes the permissions that SQL Server Setup configures for the per-service SID’s
of the SQL Server services.

Service Configuration and Access Control

Windows Privileges and Rights

File System Permissions Granted to SQL Server Per-service SIDs or SQL Server Local
Windows Groups

File System Permissions Granted to Other Windows User Accounts or Groups

File System Permissions Related to Unusual Disk Locations

Reviewing Additional Considerations

Registry Permissions

WMI

Named Pipes

Service Configuration and Access Control

SQL Server 2012 enables per-service SID for each of its services to provide service isolation and
defense in depth. The per-service SID is derived from the service name and is unique to that
service. For example, a service SID name for the Database Engine service might be NT
Service\MSSQL$<InstanceName>. Service isolation enables access to specific objects without
the need to run a high-privilege account or weaken the security protection of the object. By using
an access control entry that contains a service SID, a SQL Server service can restrict access to its
resources.

Note

On Windows 7 and Windows Server 2008 R2 the per-service SID can be the virtual account
used by the service.

For most components SQL Server configures the ACL for the per-service account directly, so
changing the service account can be done without having to repeat the resource ACL process.

When installing SSAS, a per-service SID for the Analysis Services service is created. A local
Windows group is created, named in the format
SQLServerMSASUser$computer_name$instance_name. The per-service SID NT
SERVICE\MSSQLServerOLAPService is granted membership in the local Windows group, and
the local Windows group is granted the appropriate permissions in the ACL. If the account used to
start the Analysis Services service is changed, SQL Server Configuration Manager must change
some Windows permissions (such as the right to log on as a service), but the permissions
assigned to the local Windows group will still be available without any updating, because the per-
service SID has not changed. This method allows the Analysis Services service to be renamed
during upgrades.

During SQL Server installation, SQL Server Setup creates a local Windows groups for SSAS and
the SQL Server Browser service. For these services, SQL Server configures the ACL for the local
Windows groups.

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 9 of 28

Depending on the service configuration, the service account for a service or service SID is added
as a member of the service group during install or upgrade.

Windows Privileges and Rights

The account assigned to start a service needs the Start, stop and pause permission for the
service. The SQL Server Setup program automatically assigns this. First install Remote Server
7
Administration Tools (RSAT). See Remote Server Administration Tools for Windows 7 .

The following table shows permissions that SQL Server Setup requests for the per-service SIDs or
local Windows groups used by SQL Server components.

Permissions granted by SQL

SQL Server Service
Server Setup

Log on as a service
(SeServiceLogonRight)

Replace a process-level token

(SeAssignPrimaryTokenPrivilege)

Bypass traverse checking

(SeChangeNotifyPrivilege)
SQL Server Database Engine:

(All rights are granted to the per-service SID. Default Adjust memory quotas for a
process
instance: NT SERVICE\MSSQLSERVER. Named instance:
NT SERVICE\MSSQL$InstanceName.) (SeIncreaseQuotaPrivilege)

Permission to start SQL Writer

Permission to read the Event Log

service

Permission to read the Remote

Procedure Call service

Log on as a service
(SeServiceLogonRight)

1 Replace a process-level token

SQL Server Agent: (SeAssignPrimaryTokenPrivilege)
(All rights are granted to the per-service SID. Default Bypass traverse checking
instance: NT Service\SQLSERVERAGENT. Named (SeChangeNotifyPrivilege)
instance: NT Service\SQLAGENT$InstanceName.)
Adjust memory quotas for a
process
(SeIncreaseQuotaPrivilege)

SSAS:
Log on as a service
(All rights are granted to a local Windows group. Default (SeServiceLogonRight)
instance:

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 10 of 28

SQLServerMSASUser$ComputerName$MSSQLSERVER.
Named instance:
SQLServerMSASUser$ComputerName$InstanceName.
PowerPivot for SharePoint instance:
SQLServerMSASUser$ComputerName$PowerPivot.)

SSRS:
Log on as a service
(All rights are granted to the per-service SID. Default
(SeServiceLogonRight)
instance: NT SERVICE\ReportServer. Named instance: NT
SERVICE\$InstanceName.)

Log on as a service
(SeServiceLogonRight)

SSIS: Permission to write to application

event log.
(All rights are granted to the per-service SID. Default
instance and named instance: NT Bypass traverse checking
SERVICE\MsDtsServer110. Integration Services does not (SeChangeNotifyPrivilege)
have a separate process for a named instance.)
Impersonate a client after
authentication
(SeImpersonatePrivilege)

Log on as a service
(SeServiceLogonRight)
Full-text search:
Adjust memory quotas for a
(All rights are granted to the per-service SID. Default
instance: NT Service\MSSQLFDLauncher. Named process
(SeIncreaseQuotaPrivilege)
instance: NT Service\
MSSQLFDLauncher$InstanceName.)
Bypass traverse checking
(SeChangeNotifyPrivilege)

SQL Server Browser:

(All rights are granted to a local Windows group. Default or

Log on as a service
named instance:
SQLServer2005SQLBrowserUser$ComputerName. SQL (SeServiceLogonRight)
Server Browser does not have a separate process for a
named instance.)

SQL Server VSS Writer: The SQLWriter service runs under

the LOCAL SYSTEM account which
(All rights are granted to the per-service SID. Default or has all the required permissions.
named instance: NT Service\SQLWriter. SQL Server VSS SQL Server setup does not check
Writer does not have a separate process for a named or grant permissions for this
instance.) service.

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 11 of 28

Log on as a service
SQL Server Distributed Replay Controller:
(SeServiceLogonRight)

Log on as a service
SQL Server Distributed Replay Client:
(SeServiceLogonRight)

1
The SQL Server Agent service is disabled on instances of SQL Server Express.

Top

File System Permissions Granted to SQL Server Per-service SIDs or Local Windows Groups

SQL Server service accounts must have access to resources. Access control lists are set for the
per-service SID or the local Windows group.

Important

For failover cluster installations, resources on shared disks must be set to an ACL for a local
account.

The following table shows the ACLs that are set by SQL Server Setup:

Service account for Files and folders Access

Full
MSSQLServer Instid\MSSQL\backup
control

Read,
Instid\MSSQL\binn
Execute

Full
Instid\MSSQL\data
control

Full
Instid\MSSQL\FTData
control

Read,
Instid\MSSQL\Install
Execute

Full
Instid\MSSQL\Log
control

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 12 of 28

Full
Instid\MSSQL\Repldata
control

Read,
110\shared
Execute

Instid\MSSQL\Template Data (SQL Server Express only) Read

1 Full
SQLServerAgent Instid\MSSQL\binn
control

Full
Instid\MSSQL\binn
control

Read,
Write,
Instid\MSSQL\Log
Delete,
Execute

Read,
110\com
Execute

Read,
110\shared
Execute

Read,
110\shared\Errordumps
Write

Full
ServerName\EventLog
control

Full
FTS Instid\MSSQL\FTData
control

Read,
Instid\MSSQL\FTRef
Execute

Read,
110\shared
Execute

Read,
110\shared\Errordumps
Write

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 13 of 28

Read,
Instid\MSSQL\Install
Execute

Read,
Instid\MSSQL\jobs
Write

Full
MSSQLServerOLAPservice 110\shared\ASConfig
control

Read,
Instid\OLAP
Execute

Full
Instid\Olap\Data
control

Read,
Instid\Olap\Log
Write

Read,
Instid\OLAP\Backup
Write

Read,
Instid\OLAP\Temp
Write

Read,
110\shared\Errordumps
Write

Read,
SQLServerReportServerUser Instid\Reporting Services\Log Files Write,
Delete

Read,
Instid\Reporting Services\ReportServer
Execute

Full
Instid\Reportingservices\Reportserver\global.asax
control

Instid\Reportingservices\Reportserver\Reportserver.config Read

Read,
Instid\Reporting Services\reportManager
Execute

Instid\Reporting Services\RSTempfiles Read,

Write,

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 14 of 28

Execute,
Delete

Read,
110\shared
Execute

Read,
110\shared\Errordumps
Write

MSDTSServer100 110\dts\binn\MsDtsSrvr.ini.xml Read

Read,
110\dts\binn
Execute

Read,
110\shared
Execute

Read,
110\shared\Errordumps
Write

SQL Server Browser 110\shared\ASConfig Read

Read,
110\shared
Execute

Read,
110\shared\Errordumps
Write

SQLWriter N/A (Runs as local system)

Read,
User Instid\MSSQL\binn
Execute

Read,
Execute,
Instid\Reporting Services\ReportServer List
Folder
Contents

Instid\Reportingservices\Reportserver\global.asax Read

Read,
Instid\Reporting Services\ReportManager
Execute

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 15 of 28

Instid\Reporting Services\ReportManager\pages Read

Instid\Reporting Services\ReportManager\Styles Read

Read,
110\dts
Execute

Read,
110\tools
Execute

Read,
100\tools
Execute

Read,
90\tools
Execute

Read,
80\tools
Execute

110\sdk Read

Read,
Microsoft SQL Server\110\Setup Bootstrap
Execute

Read,
Execute,
SQL Server Distributed
<ToolsDir>\DReplayController\Log\ (empty directory) List
Replay Controller
Folder
Contents

Read,
Execute,
<ToolsDir>\DReplayController\DReplayController.exe List
Folder
Contents

Read,
Execute,
<ToolsDir>\DReplayController\resources\ List
Folder
Contents

Read,
<ToolsDir>\DReplayController\{all dlls}
Execute,
List

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 16 of 28

Folder
Contents

Read,
Execute,
<ToolsDir>\DReplayController\DReplayController.config List
Folder
Contents

Read,
Execute,
<ToolsDir>\DReplayController\IRTemplate.tdf List
Folder
Contents

Read,
Execute,
<ToolsDir>\DReplayController\IRDefinition.xml List
Folder
Contents

Read,
Execute,
SQL Server Distributed
<ToolsDir>\DReplayClient\Log\ List
Replay Client
Folder
Contents

Read,
Execute,
<ToolsDir>\DReplayClient\DReplayClient.exe List
Folder
Contents

Read,
Execute,
<ToolsDir>\DReplayClient\resources\ List
Folder
Contents

Read,
Execute,
<ToolsDir>\DReplayClient\ (all dlls) List
Folder
Contents

Read,
<ToolsDir>\DReplayClient\DReplayClient.config
Execute,
List

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 17 of 28

Folder
Contents

Read,
Execute,
<ToolsDir>\DReplayClient\IRTemplate.tdf List
Folder
Contents

Read,
Execute,
<ToolsDir>\DReplayClient\IRDefinition.xml List
Folder
Contents

1
The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server
Express with Advanced Services.

Top

File System Permissions Granted to Other Windows User Accounts or Groups

Some access control permissions might have to be granted to built-in accounts or other SQL
Server service accounts. The following table lists additional ACLs that are set by SQL Server
Setup.

Requesting
Account Resource
component

Performance
MSSQLServer Instid\MSSQL\binn List folder co
Log Users

Performance
Instid\MSSQL\binn List folder co
Monitor Users

Performance
Log Users,
\WINNT\system32\sqlctr110.dll Read, Execu
Performance
Monitor Users

Administrator 1
only \\.\root\Microsoft\SqlServer\ServerEvents\<sql_instance_name> Full control

Administrators,
\tools\binn\schemas\sqlserver\2004\07\showplan Full control
System

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 18 of 28

Users \tools\binn\schemas\sqlserver\2004\07\showplan Read, Execu

DELETE

READ_CONT

SYNCHRONI

FILE_GENER

FILE_GENER
<Report
Reporting Server Web FILE_READ_
<install>\Reporting Services\LogFiles
Services Service FILE_WRITE
Account>
FILE_APPEN

FILE_READ_

FILE_WRITE

FILE_READ_

FILE_WRITE

Report
Manager
<install>\Reporting Services\ReportManager, <install>\Reporting
Application
Services\ReportManager\Pages\*.*, <install>\Reporting
pool identity, Read
Services\ReportManager\Styles\*.*, <install>\Reporting
ASP.NET
Services\ReportManager\webctrl_client\1_0\*.*
account,
Everyone

Report
Manager
<install>\Reporting Services\ReportManager\Pages\*.* Read
Application
pool identity

<Report
Server Web
<install>\Reporting Services\ReportServer Read
Service
Account>

<Report
Server Web
<install>\Reporting Services\ReportServer\global.asax Full
Service
Account>

READ_CONT
Everyone <install>\Reporting Services\ReportServer\global.asax
FILE_READ_

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 19 of 28

FILE_READ_

FILE_READ_

Network
<install>\Reporting Services\ReportServer\ReportService.asmx Full
service

READ_CONT

SYNCHRONI
FILE_GENER

FILE_GENER
Everyone <install>\Reporting Services\ReportServer\ReportService.asmx
FILE_READ_

FILE_READ_

FILE_EXECU

FILE_READ_

DELETE

READ_CONT

SYNCHRONI

FILE_GENER

FILE_GENER
ReportServer
Windows FILE_READ_
<install>\Reporting Services\ReportServer\RSReportServer.config
Services FILE_WRITE
Account
FILE_APPEN

FILE_READ_

FILE_WRITE

FILE_READ_

FILE_WRITE

Query Value

Enumerate S
Everyone Report Server keys (Instid hive)
Notify

Read Contro

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 20 of 28

Query Value

Set Value

Create SubK
Terminal
Report Server keys (Instid hive) Enumerate S
Services User
Notify

Delete

Read Contro

Query Value

Set Value

Create Subk

Power Users Report Server keys (Instid hive) Enumerate S

Notify

Delete

Read Contro

1
This is the WMI provider namespace.

Top

File System Permissions Related to Unusual Disk Locations

The default drive for locations for installation is systemdrive, normally drive C. When tempdb or
user databases are installed

Non-default Drive

When installed to a local drive that is not the default drive, the per-service SID must have access
to the file location. SQL Server Setup will provision the required access.

Network Share

When databases are installed to a network share, the service account must have access to the
file location of the user and tempdb databases. SQL Server Setup cannot provision access to a
network share. The user must provision access to a tempdb location for the service account
before running setup. The user must provision access to the user database location before
creating the database.

Note

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 21 of 28

Virtual accounts cannot be authenticated to a remote location. All virtual accounts use the
permission of machine account. Provision the machine account in the format
<domain_name>\<computer_name>$.

Reviewing Additional Considerations

The following table shows the permissions that are required for SQL Server services to provide
additional functionality.

Service/Application Functionality Required permission

SQL Server Write to a mail slot

Network write permissions.
(MSSQLSERVER) using xp_sendmail.

Run xp_cmdshell for

SQL Server a user other than a Act as part of operating system and replace a
(MSSQLSERVER) SQL Server process-level token.
administrator.

SQL Server Agent Use the autorestart Must be a member of the Administrators local
(MSSQLSERVER) feature. group.

On first use, a user who has system administrative

credentials must initialize the application. After
Tunes databases for initialization, dbo users can use the Database
Database Engine
optimal query Engine Tuning Advisor to tune only those tables
Tuning Advisor
performance. that they own. For more information, see
"Initializing Database Engine Tuning Advisor on
First Use" in SQL Server Books Online.

Important

Before you upgrade SQL Server, enable Windows Authentication for SQL Server Agent and
verify the required default configuration: that the SQL Server Agent service account is a
member of the SQL Server sysadmin group.

Top

Registry Permissions

The registry hive is created under HKLM\Software\Microsoft\Microsoft SQL

Server\<Instance_ID> for instance-aware components. For example

HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL11.MyInstance

HKLM\Software\Microsoft\Microsoft SQL Server\MSASSQL11.MyInstance

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 22 of 28

HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL.110

The registry also maintains a mapping of instance ID to instance name. Instance ID to instance
name mapping is maintained as follows:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance

Names\SQL] "InstanceName"="MSSQL11"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance

Names\OLAP] "InstanceName"="MSASSQL11"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance

Names\RS] "InstanceName"="MSRSSQL11"

WMI

Windows Management Instrumentation (WMI) must be able to connect to the Database Engine.
To support this, the per-service SID of the Windows WMI provider (NT SERVICE\winmgmt) is
provisioned in the Database Engine.

The SQL WMI provider requires the following permissions:

Membership in the db_ddladmin or db_owner fixed database roles in the msdb database.

CREATE DDL EVENT NOTIFICATION permission in the server.

CREATE TRACE EVENT NOTIFICATION permission in the Database Engine.

VIEW ANY DATABASE server-level permission.

SQL Server setup creates a SQL WMI namespace and grants read permission to the SQL
Server Agent service-SID.

Top

Named Pipes

In all installation, SQL Server Setup provides access to the SQL Server Database Engine through
the shared memory protocol, which is a local named pipe.

Top

Provisioning
This section describes how accounts are provisioned inside the various SQL Server components.

Database Engine Provisioning

Windows Principals

sa Account

SQL Server Per-service SID Login and Privileges

SQL Server Agent Login and Privileges

HADRON and SQL Failover Cluster Instance and Privileges

SQL Writer and Privileges

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 23 of 28

SQL WMI and Privileges

SSAS Provisioning

SSRS Provisioning

Database Engine Provisioning

The following accounts are added as logins in the SQL Server Database Engine.

Windows Principals

During setup, SQL Server Setup requires at least one user account to be named as a member of
the sysadmin fixed server role.

sa Account

The sa account is always present as a Database Engine login and is a member of the sysadmin
fixed server role. When the Database Engine is installed using only Windows Authentication (that
is when SQL Server Authentication is not enabled), the sa login is still present but is disabled. For
8
information about enabling the sa account, see Change Server Authentication Mode .

SQL Server Per-service SID Login and Privileges

The per-service SID of the SQL Server service is provisioned as a Database Engine login. The per
-service SID login is a member of the sysadmin fixed server role.

SQL Server Agent Login and Privileges

The per-service SID of the SQL Server Agent service is provisioned as a Database Engine login.
The per-service SID login is a member of the sysadmin fixed server role.

AlwaysOn Availability Groups and SQL Failover Cluster Instance and Privileges

When installing the Database Engine as a AlwaysOn Availability Groups or SQL Failover Cluster
Instance (SQL FCI), LOCAL SYSTEM is provisioned in the Database Engine. The LOCAL SYSTEM
login is granted the ALTER ANY AVAILABILITY GROUP permission (for AlwaysOn Availability
Groups) and the VIEW SERVER STATE permission (for SQL FCI).

SQL Writer and Privileges

The per-service SID of the SQL Server VSS Writer service is provisioned as a Database Engine
login. The per-service SID login is a member of the sysadmin fixed server role.

SQL WMI and Privileges

SQL Server Setup provisions the NT SERVICE\Winmgmt account as a Database Engine login
and adds it to the sysadmin fixed server role.

SSRS Provisioning

The account specified during setup is provisioned as a member of the RSExecRole database role.
For more information, see Configure the Report Server Service Account9.

Top

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 24 of 28

SSAS Provisioning

SSAS service account requirements vary depending on how you deploy the server. If you are
installing PowerPivot for SharePoint, SQL Server Setup requires that you configure the Analysis
Services service to run under a domain account. Domain accounts are required to support the
managed account facility that is built into SharePoint. For this reason, SQL Server Setup does not
provide a default service account, such as a virtual account, for a PowerPivot for SharePoint
installation. For more information about provisioning PowerPivot for SharePoint, see Configure
PowerPivot Service Accounts10.

For all other standalone SSAS installations, you can provision the service to run under a domain
account, built-in system account, managed account, or virtual account. For more information
11
about account provisioning, see Configure Service Accounts (Analysis Services) .

For clustered installations, you must specify a domain account or a built-in system account.
Neither managed accounts nor virtual accounts are supported for SSAS failover clusters.

All SSAS installations require that you specify a system administrator of the Analysis Services
instance. Administrator privileges are provisioned in the Analysis Services Server role.

SSRS Provisioning

The account specified during setup is provisioned in the Database Engine as a member of the
RSExecRole database role. For more information, see Configure the Report Server Service
9
Account .

Top

Upgrading From Previous Versions

This section describes the changes made during upgrade from a previous version of SQL Server.

SQL Server 2012 requires Windows Vista, Windows 7, Windows Server 2008, or Windows
Server 2008 R2. Any previous version of SQL Server running on Windows XP or Windows
Server 2003 must have the operating system upgraded before upgrading SQL Server.

During upgrade of SQL Server 2005 to SQL Server 2012, SQL Server Setup will configure
SQL Server in the following way.

The Database Engine runs with the security context of the per-service SID. The per-
service SID is granted access to the file folders of the SQL Server instance (such as
DATA), and the SQL Server registry keys.

The per-service SID of the Database Engine is provisioned in the Database Engine as
a member of the sysadmin fixed server role.

The per-service SID’s are added to the local SQL Server Windows groups, unless SQL
Server is a Failover Cluster Instance.

The SQL Server resources remain provisioned to the local SQL Server Windows
groups.

The local Windows group for services is renamed from

SQLServer2005MSSQLUser$<computer_name>$<instance_name> to
SQLServerMSSQLUser$<computer_name>$<instance_name>. File locations for
migrated databases will have Access Control Entries (ACE) for the local Windows
groups. The file locations for new databases will have ACE’s for the per-service SID.

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 25 of 28

During upgrade from SQL Server 2008, SQL Server Setup will be preserve the ACE’s for the
SQL Server 2008 per-service SID.

For a SQL Server Failover Cluster Instance, the ACE for the domain account configured for
the service will be retained.

Top

Appendix
This section contains additional information about SQL Server services.

Description of Service Accounts

Identifying Instance-Aware and Instance-Unaware Services

Localized Service Names

Description of Service Accounts

The service account is the account used to start a Windows service, such as the SQL Server
Database Engine.

Accounts Available With Any Operating System

In addition to the new MSA and virtual accounts described earlier, the following accounts can be
used.

Domain User Account

If the service must interact with network services, access domain resources like file shares or if it
uses linked server connections to other computers running SQL Server, you might use a
minimally-privileged domain account. Many server-to-server activities can be performed only with
a domain user account. This account should be pre-created by domain administration in your
environment.

Note

If you configure the application to use a domain account, you can isolate the privileges for the
application, but must manually manage passwords or create a custom solution for managing
these passwords. Many server applications use this strategy to enhance security, but this
strategy requires additional administration and complexity. In these deployments, service
administrators spend a considerable amount of time on maintenance tasks such as managing
service passwords and service principal names (SPNs), which are required for Kerberos
authentication. In addition, these maintenance tasks can disrupt service.

Local User Accounts

If the computer is not part of a domain, a local user account without Windows administrator
permissions is recommended.

Local Service Account

The Local Service account is a built-in account that has the same level of access to resources and
objects as members of the Users group. This limited access helps safeguard the system if
individual services or processes are compromised. Services that run as the Local Service account

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 26 of 28

access network resources as a null session without credentials. Be aware that the Local Service
account is not supported for the SQL Server or SQL Server Agent services. The actual name of
the account is NT AUTHORITY\LOCAL SERVICE.

Network Service Account

The Network Service account is a built-in account that has more access to resources and objects
than members of the Users group. Services that run as the Network Service account access
network resources by using the credentials of the computer account in the format
<domain_name>\<computer_name>$. The actual name of the account is NT
AUTHORITY\NETWORK SERVICE.

Local System Account

Local System is a very high-privileged built-in account. It has extensive privileges on the local
system and acts as the computer on the network. The actual name of the account is NT
AUTHORITY\SYSTEM.

Identifying Instance-Aware and Instance-Unaware Services

Instance-aware services are associated with a specific instance of SQL Server, and have their
own registry hives. You can install multiple copies of instance-aware services by running SQL
Server Setup for each component or service. Instance-unaware services are shared among all
installed SQL Server instances. They are not associated with a specific instance, are installed only
once, and cannot be installed side-by-side.

Instance-aware services in SQL Server include the following:

SQL Server

SQL Server Agent

Be aware that the SQL Server Agent service is disabled on instances of SQL Server Express
and SQL Server Express with Advanced Services.

1
Analysis Services

Reporting Services

Full-text search

Instance-unaware services in SQL Server include the following:

Integration Services

SQL Server Browser

SQL Writer

1
Analysis Services in SharePoint integrated mode runs as 'PowerPivot' as a single, named
instance. The instance name is fixed. You cannot specify a different name. You can install only
one instance of Analysis Services running as 'PowerPivot' on each physical server.

Top

Localized Service Names

The following table shows service names that are displayed by localized versions of Windows.

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 27 of 28

Name for Local Name for Local

Language Name for Network Service Name for Admin
Service System

English

Simplified
Chinese
NT AUTHORITY\LOCAL NT AUTHORITY\NETWORK NT
Traditional BUILTIN\Administrato
SERVICE SERVICE AUTHORITY\SYSTEM
Chinese

Korean

Japanese

NT-
NT- NT-
German AUTORITÄT\LOKALER VORDEFINIERT\Admin
AUTORITÄT\NETZWERKDIENST AUTORITÄT\SYSTEM
DIENST

AUTORITE AUTORITE NT\SERVICE AUTORITE

French BUILTIN\Administrato
NT\SERVICE LOCAL RÉSEAU NT\SYSTEM

NT
NT AUTHORITY\SERVIZIO DI NT
Italian AUTHORITY\SERVIZIO BUILTIN\Administrato
RETE AUTHORITY\SYSTEM
LOCALE

NT
NT AUTHORITY\SERVICIO DE NT
Spanish AUTHORITY\SERVICIO BUILTIN\Administrado
RED AUTHORITY\SYSTEM
LOC

NT AUTHORITY\LOCAL NT AUTHORITY\NETWORK NT
Russian BUILTIN\Администра
SERVICE SERVICE AUTHORITY\SYSTEM

Top

Related Content
Security Considerations for a SQL Server Installation12
13
File Locations for Default and Named Instances of SQL Server
14
Install Master Data Services

Links Table
1
http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx
2
http://technet.microsoft.com/en-us/library/ff641729(WS.10).aspx

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012
Configure Windows Service Accounts and Permissions Page 28 of 28

3
http://msdn.microsoft.com/en-us/library/ms144259(v=sql.110).aspx
4
http://msdn.microsoft.com/en-us/library/ms345332(v=sql.110).aspx
5
http://msdn.microsoft.com/en-us/library/ms345343(v=sql.110).aspx
6
http://msdn.microsoft.com/en-us/library/cc646023(v=sql.110).aspx
7
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-
4e344e43997d
8
http://msdn.microsoft.com/en-us/library/ms188670(v=sql.110).aspx
9
http://msdn.microsoft.com/en-us/library/ms160340(v=sql.110).aspx
10
http://msdn.microsoft.com/en-us/library/ee210642(v=sql.110).aspx
11
http://msdn.microsoft.com/en-us/library/ms175371(v=sql.110).aspx
12
http://msdn.microsoft.com/en-us/library/ms144228(v=sql.110).aspx
13
http://msdn.microsoft.com/en-us/library/ms143547(v=sql.110).aspx
14
http://msdn.microsoft.com/en-us/library/ee633752(v=sql.110).aspx

Community Content

© 2012 Microsoft. All rights reserved.

http://msdn.microsoft.com/en-us/library/ms143504(d=printer,v=sql.110).aspx 24/03/2012