Gerald.Barnes - Wednesday, February 21, 2018 10:40 AM
That would be correct to see the permissions set that way. Even if running under a domain account, SQL Server will create those per-service sids. The permissions is a combination of your new account and the per service sid. The two are tied together. In the document for configuring the services accounts and permissions, an important pieces of info is:
For most components SQL Server configures the ACL for the per-service account directly, so changing the service account can be done without having to repeat the resource ACL process.
So permissions are granted to the per service sid rather than the domain account itself for most objects, rights local to the server. It's just a way to grant permissions to the service itself rather than a specific account. This post is a pretty good explanation of it:
SQL Server Service Account and Per-Service SID
Sue