SQL Server Group accounts


SQL Server 2005 and later versions expect the service accounts be changed using Configuration manager and not through Services.msc


The configuration manager does perform other activities such as adding the service accounts to the Groups and this way you don’t have to grant access to individual service accounts. 


The group accounts in SQL Server are


SQLServerMSSQLUser$ComputerName$MSSQLSERVER (For SQL Server Service Account)


SQLServerSQLAgentUser$ComputerName$MSSQLSERVER (For SQL Server Agent Account)


SQLServer2005MSFTEUser$ComputerName$MSSQLSERVER (For SQL Server FT account)


their SID’s for each of the above accounts are stored in the registry key


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\FTSGroup


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLGroup


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\AgtGroup


To get the SID’s of group accounts either from the local system or from a Domain, use the utility PSGETSID


PSGETSID groupname


PSGETSID is part of the PSTools and can be downloaded from


http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx


Service accounts for Integration services and browser is determined by SQL Server at runtime and is not associated with a SID


At runtime SQL Server concantenates SQLServer2005DTSUser$ with the machine name from the registry key


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\90\Machines\OriginalMachineName


 


The full group name for Integration services is in the form SQLServer2005DTSUser$ComputerName


 


The same applies for Browser account SQLServer2005SQLBrowserUser$


 


The full group name for Browser account is in the form SQLServer2005SQLBrowserUser$ComputerName


 


For further info on setting up Windows Service Accounts refer http://msdn.microsoft.com/en-us/library/ms143504.aspx


 


 


 


 

Skip to main content