February 3, 2017 at 1:34 pm
Hi
I have seen a domain\service account as the service account for dbengine. I see this service account was added as a login in SQL Server and it was given sysadmin privileges. From what I have read this is not necessary so I thought I would just try and delete this domain\service account but I ended up with a message that said it was in use. I am assuming that this account has inherited sysadmin rights from NT SERVICE\MSSQLSERVER and NT SERVICE\SQLSERVERAGENT.
Is this correct? Does it matter that the domain\service account has this login? I'm looking at this from a security stand point.
Thanks for any input
K
February 3, 2017 at 2:50 pm
kathy.plamann 36011 - Friday, February 3, 2017 1:34 PMHiI have seen a domain\service account as the service account for dbengine. I see this service account was added as a login in SQL Server and it was given sysadmin privileges. From what I have read this is not necessary so I thought I would just try and delete this domain\service account but I ended up with a message that said it was in use. I am assuming that this account has inherited sysadmin rights from NT SERVICE\MSSQLSERVER and NT SERVICE\SQLSERVERAGENT.
Is this correct? Does it matter that the domain\service account has this login? I'm looking at this from a security stand point.Thanks for any input
K
The accounts like NT Service\MSSQLSERVER types of accounts are the Per Service SID accounts. Those virtual accounts and the domain accounts you used are used together by SQL Server. The virtual accounts are the ones that are sysadmins. The whole way it works now provides more security for the SQL Server instance..
Some more info on those accounts are in this article -
SQL Server uses a service SID to provide service isolation
That's the MS doc anyway. I found this one more beneficial - it explains a bit more of the rational and use of those accounts;
SQL Server Service Account and Per-Service SID
I understood it better after reading some threads up here when SQL 2008 was out. But of course I can't find those now. You may want to look around and search some of the threads.
In terms of permissions, yes on the sysadmin for the Service SID accounts. I think the some of the confusion is from where they do not need to be local admins on the server. The domain accounts often were added to local admins and wasn't needed. You can find more info on the permissions needed in the Configure Accounts and Permissions document. It is pretty thorough in terms of the different areas of permissions needed. For the permissions in SQL Server itself, refer to the Database Engine Provisioning section:
Configure Windows Service Accounts and Permissions
The best thing to do with the accounts is to let SQL Server manage them. First on the installation and then using Configuration Manager for any changes.
Sue
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply