Service Security Accounts for SQL Server

SQL Server 2005 and SQL Server agent are run as Windows services. Each service is assigned a windows user account to use, when the service starts. This account allows the service to log on to the system. So, the Service Security Account is the logon account that SQL Server uses to access Windows resources. We should note that the service security account is not a login for users connecting to SQL server.

We need not configure the user account in Windows 9x, for the service to start. This is because, Microsoft Windows 9x does not support Windows services. The personal Edition of SQL Server that runs on Windows 9x simulates the SQL Server and SQL Server Agent services.

SQL Server services can be configured to log on as Local System or to use windows logon accounts when the operating system is Windows 2000 or Windows Server 2003.

The Local System accounts option allows administrative privileges to SQL Server on the local computer but no privileges on the network. We use the local system accounts when we want resources on the local server only, and we want to isolate SQL Server and restrict it from interacting with other servers. Note that integrating with SQL server with other server applications such as exchange server is difficult.

The Domain accounts option sets the service to use a standard domain account. We should use domain accounts when the server requires resources across the network and when we need to forward events to the application logs of other systems, and when we want to configure e-mail or pager notification. This is the recommended option in production environment is to use a dedicated domain account.

When we use a domain user account, the following services are available.

-Multiserver jobs
-Replication
-Backing up to network drives


All domain user account which is to be used as a service account must have permissions to for following tasks.

Read and change the SQL Server installation folder. By default, this folder is located in the % Program Files % / Microsoft SQL Server / MSSQL folder.
Read and change the database files, including the . mdf, ndf, and Idf files.
Read and write SQL Server - related registry keys.
Log on as a service.

Setting the Startup Service Account

You can specify a local system account for a SQL Server service with the following steps:

1. Start SQL Server Configuration Manager, and select the SQL Server 2005 Services node.
2. In the right pane, right-click a service to select it, and select properties.
3. On the Log On tab of the properties dialog box, select Built-In Account and use the drop-down list to choose the service to use.
4. The local system account does not require a password. The local system account may restrict the (this) service from interacting with other services.
5. Restart the SQL service to stop it and start it again using the new credentials.
6. Click OK.

You can specify a domain account for a SQL Server service with the following steps:

1. Start SQL Server Configuration Manager, and then select the SQL Server 2005 Services node.
2. In the right pane, right-click a service to select it, and them select properties.
3. On the Log On tab of the properties dialog box, choose the This Account option button, as shown in Figure 3-8. Then type the designated account name and password. If necessary, specify the domain as part of the account name, such as VKINFOTEK.COM/ /sqlservice, where VKINFOTEK.COM is the domain name and sqlservice is the account name.
4. If the service is running, you must restart the service by clicking Restart to stop it and start it again using the new credentials.
5. Click Ok.