Share via


Service Account

SQL Server Express users: click Service Account (SQL Server Express) for information that is specific to SQL Server Express Setup.

Use the Service Account page of the Microsoft SQL Server Installation Wizard to assign a login account to the SQL Server services. The actual services configured on this page depend on the features you have selected to install.

Options

You can assign the same login account to all SQL Server services, or you can configure each service account individually. You can also specify whether services start automatically.

ms143691.security(en-US,SQL.90).gifSecurity Note:
Setting strong passwords is essential to the security of your system. Always use strong passwords.
  • Customize the logon for each service account
    Select the Customize for each service account check box to customize settings for individual services.

    This option assigns specific logon accounts to individual services. Click this check box to implement the principle of least privileges, where SQL Server services are granted the minimum permissions they need to complete their tasks. For more information, see Setting Up Windows Service Accounts.

    If this check box is not selected, the same account and settings are used for all SQL Server services.

    Select any of the following services to customize its settings.

    Select this service To configure authentication settings for

    SQL Server

    The SQL Server Database Engine

    SQL Server Agent

    The service that executes jobs, monitors, SQL Server, and allows automation of administrative tasks.

    Analysis Services

    Analysis Services

    Reporting Services

    Reporting Services. Service accounts are used to configure a report server database connection. Choose a domain user account if you want to connect to a report server database on a remote SQL Server instance. If you are using a local report server database, you can use a domain user account or Local System to run the service.

    SQL Server Browser

    SQL Server Browser is the name resolution service that provides SQL Server connection information to client computers. This service is shared across multiple SQL Server and Integration Services instances.

  • Use the built-in System account
    You can assign Local System, Network Service, or Local Service to the logon for the configurable SQL Server services.

    The Local System option specifies a local system account that does not require a password to connect to SQL Server on the same computer. However, the local system account may restrict the SQL Server installation from interacting with other servers, depending on the privileges granted to the account.

    Important

    Local System is a powerful account; it may not be appropriate for all Service settings. For more information, see Security Considerations for a SQL Server Installation.

    The Network Service account is a special, built-in account that is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. Services that run as the Network Service account access network resources using the credentials of the computer account.

    Important

    We recommend that you do not use the Network Service account for the SQL Server or the SQL Server Agent services. Local User or Domain User accounts are more appropriate for these SQL Server services.

    The Local Service account is a special, built-in account that is similar to an authenticated user account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with no credentials.

    For more information on service accounts, see Setting Up Windows Service Accounts.

  • Use a domain user account
    Specifies a domain user account that uses Windows Authentication to set up and connect to SQL Server. Microsoft recommends using a domain user account with minimal rights for the SQL Server service, as the SQL Server service does not require administrator account privileges.

    The SQL Server Agent account must have administrator privileges if you create CmdExec and ActiveScript jobs that belong to someone other than a SQL Server administrator, or if you use the AutoRestart feature. If the above features are requirements in your environment, consider using separate service accounts for the SQL Server and SQL Server Agent services.

    For strong password guidelines, see Authentication Mode.

    Note

    The domain name cannot be a full DNS name. For example, if your DNS name is my-domain-name.com, use my-domain-name in the domain field. SQL Server Setup will not accept my-domain-name.com in the domain field.

  • Start services at the end of SQL Server Setup
    Automatically starts the services when your operating system is started. For SQL Server 2005, the services Auto-start option will be selected by default for SQL Server, Analysis Services, and Reporting Services.

    Note

    The SQL Server Agent service depends on the SQL Server service. If you select the Auto-start check box for SQL Server Agent, Auto-start is automatically selected for the SQL Server service and it cannot be unchecked unless you uncheck the option for SQL Server Agent.

    Important

    Off by Default - To enhance security in SQL Server 2005, some services and features are not activated by default. They have to be configured and enabled after Setup is complete. For more information, see SQL Server Surface Area Configuration and Security Considerations for a SQL Server Installation.

See Also

Reference

Setting Up Windows Service Accounts

Concepts

Security Considerations for a SQL Server Installation

Help and Information

Getting SQL Server 2005 Assistance