Changing Passwords and User Accounts

Installing SQL Server

Installing SQL Server

Changing Passwords and User Accounts

Microsoft® SQL Server™ 2000 services accounts and passwords are linked to Microsoft Windows® user accounts and passwords. Changes in one location may require changes in the other.

Changing SQL Server Services Accounts After Install

After you have installed SQL Server 2000, use SQL Server Enterprise Manager to change the assigned password or other properties of any SQL Server–related service. Each service must be changed individually. The new user account takes effect when the service is restarted. You should not change the passwords for any of the SQL Server service accounts when a failover cluster node is down or offline. If you have to do this, you will need to reset the password again using Enterprise Manager when all nodes are back online.

If you are running Microsoft Windows NT®, and you select to change the current service account for SQL Server to a non-administrator account (and the current service account for SQL Server is not an administrator account), the Valid Administrator Login dialog box is displayed. SQL Server must have administrator privileges to change security entries, so you must enter the user name, password, and domain to impersonate the non-administrator service account you have selected.

Once you have specified this information, all objects are granted full control permission. The location of the objects is determined by the following:

  • Permissions are set for all files in the binary and data installation locations for the specific instances.

  • Registry permissions depend on whether the instance is default or named:

    For a default instance, permissions are applied only to the entries listed below the HKLM\Software\Microsoft\MSSQLServer entry:

    • SQLServerAgent

    • Replication

    • Providers

    • Setup

    • Tracking

    • MSSQLServer

    For a named instance, permissions are applied to the entire HKLM\Software\Microsoft\MicrosoftSQLServer\80 entry.

The following rights are granted to the accounts:

  • SeServiceLogonRight, which allows the account to run as a service.

  • SeLockMemoryPrivilege, which allows the account to use the AWE memory feature of SQL Server.

  • SeTcbPrivilege, which allows the account to impersonate other accounts.

If you are running SQL Server in a failover cluster configuration, permissions are also set for all files in the binary and data installation locations for all nodes in the cluster. Permission is also granted for the service account on the Cluster Object.

Note  If you are running Microsoft Windows 2000 and want to use the Windows 2000 Encrypted File System to encrypt any SQL Server files, you must unencrypt the files before you can change the SQL Server service accounts. If you do not unencrypt the files and then reset the SQL Server service accounts, you cannot unencrypt the files.

You can change the SQLServerAgent service account to a non Microsoft Windows NT® 4.0 administrator account. However, the Windows NT 4.0 account must be a member of the sysadmin fixed server role to run SQL Server Agent.

To change the MSSQLServer services login (Enterprise Manager)