locked
Permissions to Native user accounts RRS feed

  • Question

  • Hello,

    In my environments I am using seperate domain account for SQLServer and SQLServer Agent service and they are both members of sysadmin grp. All my envs are clustered. I am seeing

    NT Authority\System

    NT Service\ClusSvc

    NT Servie\MSSQLServer

    NT Service\SQLServerAgent

    NT Service\SQLWriter

    NT Service\Winmgmt

    as sysadmins. Is it safe to disable these accounts?

    Thanks in advance

    • Moved by Dan GuzmanMVP Wednesday, May 10, 2017 1:34 AM Move question to more appropriate forum
    Tuesday, May 9, 2017 9:54 PM

Answers

  • I would not touch them as service packs may rely on the default settings.

    NT Service\MSSQLServer and NT SQLServerAgent are the original service accounts that SQL Server was installed under.

    It should be safe to place them in a lower privilege role. SQLWriter is used by the VSS service which 3rd party backup tools use to backup your SQL Server databases. Again it should be ok to place that in a lower privileged role.

    The name ClusSvc indicates a role in clustering. WinMgmt is part of windows management interface.

    This link indicates that you can change the service accounts:

    https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions

    But it does not talk about removing or touching the virtual accounts on your server.

    • Proposed as answer by Teige Gao Wednesday, May 10, 2017 6:55 AM
    • Marked as answer by oleolehoohoo Wednesday, May 10, 2017 6:06 PM
    Tuesday, May 9, 2017 10:47 PM