Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Administration
 What Accounts to use for SQL services

Author  Topic 

groadssql
Starting Member

9 Posts
Posted - 2010-11-18 : 21:07:17
I installed SQL 2008 for the first time. I had to install it on MS 2008 server. What accounts should I run SQL server, SQL agent service and report services in? Thanks

GAR

tkizer
Almighty SQL Goddess

38200 Posts
Posted - 2010-11-18 : 21:50:29
It depends on what your SQL Server will be used for. If you won't be using any external resources, then local system account is fine. We use a domain account that has local admin on the database server, and we've locked the account down to just the DBA team.

Tara Kizer
Microsoft MVP for Windows Server System - SQL Server
http://weblogs.sqlteam.com/tarad/

Subscribe to my blog
Go to Top of Page

jeffw8713
Aged Yak Warrior

819 Posts
Posted - 2010-11-19 : 14:07:12
I prefer using a domain account and DO NOT add it as a local administrator on the machine. When you install, you are given the option to enter the accounts to run each service. The installation will make sure those accounts have all of the necessary rights to run the services.

The recommended practice is to use a separate account for each service - which I do not do. If you need to be able to grant different levels of access to the services, then you would need separate accounts.

I do not recommend using local system - as that is a highly privileged account on the machine. If you do not need access to network resources, then you can create local windows users for the services.

Jeff
Go to Top of Page

russell
Pyro-ma-ni-yak

5072 Posts
Posted - 2010-11-19 : 15:14:38
We too typically use domain account and make it local admin. In our case the SQL Server service account, and the Agent account, need that, as well as several network resources.

We do NOT run dev, qa or staging servers under the same account(s) as production servers.

Using local accounts makes backups a chore -- unless you give some remote account permissions on the SQL server, which I won't do. Rather push than pull so to speak.
Go to Top of Page

russell
Pyro-ma-ni-yak

5072 Posts
Posted - 2010-11-19 : 15:16:43
Haha, I walked into a client site one time and they had the dev servers running as domain admin and all developers logging in as sa. I don't think the developers actually knew about it, but I sure noticed! Nothing quite like making everyone domain admin lol
Go to Top of Page

jeffw8713
Aged Yak Warrior

819 Posts
Posted - 2010-11-19 : 18:05:55
Russell,

Why do your service accounts need to be local administrator on the box? I don't see the need for that - just curious.

Jeff
Go to Top of Page

russell
Pyro-ma-ni-yak

5072 Posts
Posted - 2010-11-20 : 10:04:08
Depends on what you have the service account doing. I agree it's best not to if you don't need it. Like you, I'll grant only the minimum privelege possible to get the work done.
Go to Top of Page

jeffw8713
Aged Yak Warrior

819 Posts
Posted - 2010-11-20 : 11:50:32
To clarify - I don't even add my service accounts as users on the machine. The installation takes care of all permissions required.

If I need additional privileges on that system - I'll setup proxy accounts for that access instead of using the service accounts. The only reason I use a domain user is so I can access network resources (e.g. copy backup files to a network share, access import/export files on network shares, etc...).
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site