Home Forums SQL Server 2008 SQL Server 2008 Administration NT SERVICE\SQLSERVERAGENT RE: NT SERVICE\SQLSERVERAGENT

  • October 13, 2015 at 3:22 pm

    #1833094

    Actually, that is a least rights service user account with no password that logs into via group SQLServerMSSQLUser$computername$MSSQLSERVER. (like SQLServerMSASUser$MyServer$MSSQLSERVER for SSAS).

    The "NET SERVICE\.." users are then members of those group types. These members are the default way a service logs into the SQL engine. The description box reads; "Members in the group have the required access and privileges to be assigned as the logon account for the associated instance of SQL Server 2014 XXXXXXX Services." Basically its a pre-2008R2 throwback.

    During SQL Server installation, SQL Server Setup creates a local Windows groups for SSAS (if installed) and the SQL Server Browser service. For these services, SQL Server configures the ACL for the local Windows groups.

    Depending on the service configuration, the service account for a service or service SID is added as a member of the service group during install or upgrade.

    I actually use AD users accounts when I build SQL so I never see most groups in the lusrmgr.msc, but the user accounts "NET SERVICE\.." are seen in SSMS for SQL and SQL Agent.

    If you run lusrmgr.msc and look at the groups, you might see groups like SQLServerMSSQLUser$computername$MSSQLSERVER and NT SERVICE\MSSQLSERVER is a member of the group. I see the SSAS version and NT SERVICE\MSSQLServerOLAPService user account in that group.

    Essentially, these are local accounts for those SQL Servers not in AD domains. (my opinion) You will probably see less of NET SERVICE users are MS is depreciated them for virtual accounts and MSA.