Friday, July 31, 2009

SQL Service account requirements

If you don't want to just make your service account(s) part of the local administrators group, here are the user rights that you need to know...

For SQL 2000, a service account requires these user rights:

  • Act as Part of the Operating System = SeTcbPrivilege
  • Bypass Traverse Checking = SeChangeNotify
  • Lock Pages In Memory = SeLockMemory
  • Log on as a Batch Job = SeBatchLogonRight
  • Log on as a Service = SeServiceLogonRight
  • Replace a Process Level Token = SeAssignPrimaryTokenPrivilege
For SQL 2005, it's somewhat more complicated, depending on what service the account is for:

SQL Server

Default instance: SQLServer2005MSSQLUser$ComputerName$MSSQLSERVER
Named instance: SQLServer2005MSSQLUser$ComputerName$InstanceName

  • Log on as a service
  • Act as part of the operating system (only on Windows 2000)
  • Log on as a batch job
  • Replace a process-level token
  • Bypass traverse checking
  • Adjust memory quotas for a process
  • Permission to start SQL Server Active Directory Helper
  • Permission to start SQL Writer

SQL Server Agent

Default instance: SQLServer2005SQLAgentUser$ComputerName$MSSQLSERVER
Named instance: SQLServer2005SQLAgentUser$ComputerName$InstanceName

  • Log on as a service
  • Act as part of the operating system (only on Windows 2000)
  • Log on as a batch job
  • Replace a process-level token
  • Bypass traverse checking
  • Adjust memory quotas for a process

Analysis Services

Default instance: SQLServer2005MSOLAPUser$ComputerName$MSSQLSERVER
Named instance: SQLServer2005MSOLAPUser$ComputerName$InstanceName

  • Log on as a service

Reporting Services

Default instance: SQLServer2005ReportServerUser$ComputerName$MSSQLSERVER and SQLServer2005ReportingServicesWebServiceUser$ComputerName$MSSQLSERVER
Named instance: SQLServer2005ReportServerUser$ComputerName$InstanceName and SQLServer2005ReportingServicesWebServiceUser$ComputerName$InstanceName

  • Log on as a service

Integration Services

Default or named instance: SQLServer2005DTSUser$ComputerName

  • Log on as a service
  • Permission to write to application event log
  • Bypass traverse checking
  • Create global objects
  • Impersonate a client after authentication

Full-Text Search

Default instance: SQLServer2005MSFTEUser$ComputerName$MSSQLSERVER
Named instance: SQLServer2005MSFTEUser$ComputerName$InstanceName

  • Log on as a service

SQL Server Browser

Default or named instance: SQLServer2005SQLBrowserUser$ComputerName

  • Log on as a service

SQL Server Active Directory Helper

Default or named instance: SQLServer2005MSSQLServerADHelperUser$ComputerName

  • No special rights

References: http://support.microsoft.com/kb/283811

http://msdn.microsoft.com/en-us/library/ms143504(SQL.90).aspx
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)