locked
SQL Server Agent service account cannot be a built-in account "NT SERVICE\SQLSERVERAGENT" RRS feed

  • Question

  • How to run SQL Server Agent service not as a built-in account like: "NT SERVICE\SQLSERVERAGENT"
    Monday, June 8, 2015 10:16 AM

Answers

All replies

  • How to run SQL Server Agent service not as a built-in account like: "NT SERVICE\SQLSERVERAGENT"

    Create a local or domain account and run the SQl Server agent using that account use SQl Server configuration manager to change the account. Read below

    https://msdn.microsoft.com/en-us/ms143504.aspx


    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

    My Technet Wiki Article

    MVP

    Monday, June 8, 2015 10:23 AM
  • Hello - In-fact we do not recommend running SQL Server Database engine or SQL Server Agent using Built-in account.

    Instead, you should create Local user account or Domain user account or Service Account and use that for running the services. Once you have create the account, you can use SQL Server Configuration Manager to change the service account for SQL Server or its related service including SQL Server Agent:

    Monday, June 8, 2015 10:36 AM
  • "In-fact we do not recommend running SQL Server Database engine or SQL Server Agent using Built-in account."

    I'm surprised. Can you elaborate? I'm thinking a Virtual Account (the default) vs a Local account, why would we prefer a local account?


    Tibor Karaszi, SQL Server MVP | web | blog

    Monday, June 8, 2015 6:12 PM
  • Hello Tibor - Windows Built-In accounts (Such as if we use "Local System" account, it refers to NT AUTHORITY\System, which is a part of Windows Administrators group & then eventually sysadmin at SQL Server) are powerful accounts and will have unrestricted access to all local resources which in my opinion is not a good idea to follow due to security concerns.

    Additionally, MS recommends that we use a domain user account that has minimal rights for the SQL Server service, because the SQL Server service does not require administrator account privileges.

    I am OK for creating Local Account as well, with Minimum privileges just to run the services and have greater control over it

    Few references:

    https://msdn.microsoft.com/en-us/ms191543.aspx?f=255&MSPPError=-2147217396


    Good Luck!
    Please Mark This As Answer if it solved your issue.
    Please Vote This As Helpful if it helps to solve your issue

    Tuesday, June 9, 2015 6:52 AM
  • Hi Manu,

    But you need to differentiate between the various types of built-in accounts! Isshkabibble wasn't using "Local System" (which I agree is horrible account to use). Isshkabibble was using a virtual account, and that has no permissions assigned and hence there is no advantage of using a local account (like you suggested) instead of a virtual account - in fact a local account is worse since you have yet another account for which you need "Password never expires".

    Whether to use a domain account is a different question. I was, however, question your advice to use a regular *local* account instead of a (built-in) virtual account.


    Tibor Karaszi, SQL Server MVP | web | blog

    Tuesday, June 9, 2015 9:02 AM