Server Configuration - Service Accounts

SQL Server 2008 R2

Use the Server Configuration page of the SQL Server Installation Wizard to assign login accounts to SQL Server services. The actual services configured on this page depend on the features you have selected to install.

Options

You can assign the same login account to all SQL Server services, or you can configure each service account individually. You can also specify whether services start automatically, are started manually, or are disabled. Microsoft recommends that you configure service accounts individually to provide least privileges for each service, where SQL Server services are granted the minimum permissions they need to complete their tasks. For more information, see Setting Up Windows Service Accounts.

Configure SQL Server service accounts individually (recommended)

Use the grid to provision each SQL Server service with a logon user name and password, and to set the startup type for the service. You can use built-in system accounts, a local account, local group, domain group, or domain user accounts for SQL Server services.

Select any of the following services to customize its settings.

Select this service To configure authentication settings for

SQL Server Agent

The service that executes jobs, monitors, SQL Server, and allows automation of administrative tasks.

There is no default logon account for this service.

The default startup type is Manual.

SQL Server

The SQL Server Database Engine.

There is no default logon account for this service.

The default startup type is Automatic.

SQL Server Browser

SQL Server Browser is the name resolution service that provides SQL Server connection information to client computers. This service is shared across multiple SQL Server and Integration Services instances.

The default logon account is NT Authority\Local service and cannot be changed during SQL Server setup. You can change the account after the setup has been completed.

If the startup type is not specified during setup, it is determined as follows:

  • SQL Server Browser is set to Automatic and running in the installation scenarios described below:
    • SQL Server failover cluster instance
    • Named instance of SQL Server where TCP or NP is enabled
    • Named instance of Analysis Server and is not clustered
    • This is a SQL Server 2000 upgrade or there is an existing instance of SQL Server 2000 on the machine
  • If none of the above scenarios apply, and SQL Server Browser is already installed, the current state of SQL Server Browser will be maintained.
  • The startup type is set to Disabled and stopped if there is not an existing SQL Server 2005 or a SQL Server 2008 instance prior to the installation.

Analysis Services

Analysis Services.

There is no default logon account for this service.

The default startup type is Automatic.

For SharePoint integrated mode, you must specify a Windows domain user account. The account you specify is used for the Analysis Services service. The account you specify for the current instance must also be used for any additional Analysis Services instances that you subsequently add to the same farm. For more information, see How to: Install PowerPivot for SharePoint on a New SharePoint Server.

Reporting Services

Reporting Services. Service accounts are used to configure a report server database connection. Choose the built-in network service if you want to use default authentication settings. If you specify a domain user account, be sure to register a service principal name (SPN) for it if you are using Windows Authentication on the report server. For more information, see How to: Configure Windows Authentication in Reporting Services.

Important:
Microsoft recommends that you do not use the Network Service account for the SQL Server or the SQL Server Agent services if an account with lesser privileges is available, because Network Service is a shareable account. Network Service is appropriate for use as a SQL Server service account only if you can ensure that no other services that use the account are installed on the computer. Local User or Domain User accounts that are not a Windows administrator are more appropriate for SQL Server services.

There is no default logon account for this service.

The default startup type is Automatic.

Integration Services

Integration Services is a set of graphical tools and programmable objects for moving, copying, and transforming data.

The default logon account for this service is NT Authority\Network Service.

The default startup type is Automatic.

SQL Server Full-text Filter Daemon Launcher

The service that creates the fdhost.exe processes. This is required to host the word breakers and filters that process textual data for full-text indexing.

Provide an account in which to run the FDHOST Launcher service. We highly recommend that you use a low privilege account. This account should be different from the account that you use for the SQL Server service. On Windows Vista and Windows Server 2008, the FDHOST Launcher service account defaults to LOCAL SERVICE.

For security reasons, on Windows versions earlier than Windows Vista and Windows Server 2008, we recommend using a specially-created LOCAL USER as the FDHOST Launcher service account. The use of the LOCAL SYSTEM, LOCAL SERVICE, or NETWORK SERVICE might inadvertently provide increased privileges for the service and can reduce the security of your SQL Server installation.

The FDHOST Launcher service is started automatically unless the service account is not valid or you do not specify a service account (on Windows Server 2003 or Windows XP).

See Also