Service Accounts Redux

The other day I made a post that mixed a couple of concepts. I mentioned that you should always use a separate set of Windows accounts for the SQL Server Engine and Agent services. I also mentioned security ramifications.

The fact that the SQL Server Engine and Agent have different accounts does not affect SQL Server security - that wasn't my point. I was more concerned that you're able to track which service performed a particular action. Also, I normally assign a mail account to the account that start SQL Server Agent, but not the SQL Server Engine.

The "mixed" part of the post is that you don't want to use the "built-in" accounts such as LocalService or NetworkService. Those accounts are used by other features in Windows, and if they start SQL Server they can also affect it's operation.

Skip to main content