patternsqlMinor
Do NT Service accounts need to be SysAdmin when using Domain Accounts
Viewed 0 times
needsysadminserviceusingwhenaccountsdomain
Problem
I'm not sure if I'm googling for the wrong thing but I can't find an answer. We're running SQL 2014. The SQL Server and SQL Agent processes are both running under Domain Managed Service Accounts.
When SQL was installed
If I am running SQL and SQL Agent as a Domain user, do I still need these NT Service accounts, and/or do they need to be SysAdmin?
When SQL was installed
NT SERVICE\MSSQLSERVER, NT SERVICE\SQLSERVERAGENT, NT SERVICE\SQLWriter, NT SERVICE\Winmgmt are all setup as SysAdmins.If I am running SQL and SQL Agent as a Domain user, do I still need these NT Service accounts, and/or do they need to be SysAdmin?
Solution
If I am running SQL and SQL Agent as a Domain user, do I still need these NT Service accounts, and/or do they need to be SysAdmin?
Even if you are running SQL server as domain account, keep those
From BOL :
Virtual accounts in Windows Server 2008 R2 and Windows 7 are managed local accounts that provide the following features to simplify service administration. The virtual account is auto-managed, and the virtual account can access the network in a domain environment. If the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2 or Windows 7, a virtual account using the instance name as the service name is used, in the format
These logins are members of the sysadmin fixed server role, so they can do anything in the Database Engine. Keep them in
A really good answer detailing above stuff - Service/Database Accounts - NT SERVICE\MSSQLSERVER & NT SERVICE\SQLSERVERAGENT … what are they for ?
These accounts can't be selected in the list of available built-in accounts, local accounts or domain accounts. This is because they are services, not accounts. They have a security identifier (SID) in Windows, but Windows knows they aren't real users. Windows can authenticate them, but they don't have passwords that any human can use. If you run
Even if you are running SQL server as domain account, keep those
NT SERVICE\* as is.From BOL :
Virtual accounts in Windows Server 2008 R2 and Windows 7 are managed local accounts that provide the following features to simplify service administration. The virtual account is auto-managed, and the virtual account can access the network in a domain environment. If the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2 or Windows 7, a virtual account using the instance name as the service name is used, in the format
NT SERVICE\These logins are members of the sysadmin fixed server role, so they can do anything in the Database Engine. Keep them in
SYSADMIN role even if you are using Domain account. See SQL Server Per-service SID Login and Privileges section. A really good answer detailing above stuff - Service/Database Accounts - NT SERVICE\MSSQLSERVER & NT SERVICE\SQLSERVERAGENT … what are they for ?
These accounts can't be selected in the list of available built-in accounts, local accounts or domain accounts. This is because they are services, not accounts. They have a security identifier (SID) in Windows, but Windows knows they aren't real users. Windows can authenticate them, but they don't have passwords that any human can use. If you run
lusrmgr.msc and look at the groups, you will see groups like SQLServerMSSQLUser$computername$MSSQLSERVER and NT SERVICE\MSSQLSERVER is a member of the group.Context
StackExchange Database Administrators Q#114919, answer score: 5
Revisions (0)
No revisions yet.