• Gerald.Barnes - Wednesday, February 21, 2018 10:40 AM

    John
    I used SQLServer 2014 Configuration Manager to change the SQL Server and SQL Server agent accounts to a totally new account I had created. The services ran OK but the extra permissions documented in https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions had not been set. I noticed they were set for the built in default accounts NT SERVICE\MSSQLSERVER and NT Service\SQLSERVERAGENT that had never been used though.
    Is this just finger trouble on my system or is it the case that these permissions they refer to are not used all the time but just for less common things? I do not like the thought of setting them all manually with no may of testing that I have set them correctly. On the other hand anything I release will be tried out extensively in our test departments before it goes live and so there will be some level of protection.
    Gerald

    That would be correct to see the permissions set that way. Even if running under a domain account, SQL Server will create those per-service sids. The permissions is a combination of your new account and the per service sid. The two are tied together. In the document for configuring the services accounts and permissions, an important pieces of info is:
    For most components SQL Server configures the ACL for the per-service account directly, so changing the service account can be done without having to repeat the resource ACL process.

    So permissions are granted to the per service sid rather than the domain account itself for most objects, rights local to the server. It's just a way to grant permissions to the service itself rather than a specific account. This post is a pretty good explanation of it:
    SQL Server Service Account and Per-Service SID

    Sue