Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MSSQLServer Service and Domain user

Status
Not open for further replies.
anthonymeluso

anthonymeluso

IS-IT--Management
May 2, 2005
226
US
I just ran the new Baseline Security Analyzer from Microsoft and it flagged down that I'm running this service under the domain admin account. How can I change this to a different user and is this even safe?

I really think everything is working fine now but don't want to take a chance to screw things up. So which account should this service be running under?

Anthony
 
Sort by date Sort by votes
Sure it's safe, as long as you know what you're doing [smile]

IF this instance of SQL is stand-alone (it does not care about or need access to other SQL instances on the network) then you can run it under the SYSTEM account.

IF, like me, you can't guarantee this instance will never need to access other instances on the network for infinity, the best practice is to create a windows account with Admin privileges for it to use. I usually create an account called "services" (or something easily recognized) and assign all my add-on services (SQL, backup exec, scheduler) to run using it.

To change which account a service runs under:
Control Panel -> Computer Management ->Services. Highlight the service in question (in your case, MSSQLSERVER is the main engine, and SQLSERVERAGENT is what runs backups, maintenance plans, etc.) and click the "Startup" button. There you can pick which account the highlighted service runs under.
 
Upvote 0 Downvote
Whoops, that path is
Control Panel -> Administrative Tools -> Services.
 
Upvote 0 Downvote
It is recommended that you change the SQL Service Startup account is changed via the SQL Enterprise Manager if you can. This will ensure that the account has the rights that it needs.

For the tightest security the domain account should not be a domain admin, or a server admin. You should give it the least rights that it needs to do what you need it to do.

It is more secure to have the account running from a domain account rather than under the system account.

Denny
MCSA (2003) / MCDBA (SQL 2000)

--Anything is possible. All it takes is a little research. (Me)

[noevil]
(Not quite so old any more.)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

RRinTetons
  • Locked
  • Question
Logging into a database using SSMS from non-domain machine
Replies
1
Views
589
fredericofonseca
fredericofonseca
DougNaf
  • Locked
  • Question
SQL 2016 - DB attachment and error 3415
Replies
1
Views
443
fredericofonseca
fredericofonseca
JoPaBC
  • Locked
  • Question
Delphi/Borland program and SQL Express 2017
Replies
6
Views
958
JoPaBC
JoPaBC
JoPaBC
  • Locked
  • Question
Schedule and automate backups of SQL Express databases in SQL Server Express 1
Replies
5
Views
770
JoPaBC
JoPaBC
tekpr00
  • Locked
  • Question
Backups in a multiserver environment while using Central Management Server and Server Groups
Replies
0
Views
298
tekpr00
tekpr00

Part and Inventory Search

Sponsor

Back
Top