none
Setup option: Grant Perform Volume Maintenance Task. Grants NT SERVICE\MSSQLSERVER the privilege instead of the configured Windows account.

    Question

  • Hi,

    Using the setup wizard and configure the SQL Server Databse Engine to use domain account and cheking the checkbox: "Grant Perform Volume Maintenance Task to SQL Server Database Engine Service"

    ConfigurationFile.ini:
    ....
    SQLSVCACCOUNT="<domain>\<user>"
    ; Set to "True" to enable instant file initialization for SQL Server service. If enabled, Setup will grant Perform Volume Maintenance Task privilege to the Database Engine Service SID. This may lead to information disclosure as it could allow deleted content to be accessed by an unauthorized principal.
    ...

    The Setup does not grant the privilege to the configured domain account, instead NT SERVICE\MSSQLSERVER is granted the permission.

    Regards,
    Brynjar


    Monday, March 20, 2017 12:25 PM

Answers

  • Had the same question as I was seeing identical behavior, found this from a supported technet blog.

    Notably, setup grants the privilege to the per-service SID for the SQL Server instance, e.g. to the NT SERVICE\MSSQL$SQL2016 security principal, for an instance named SQL2016. This is preferable to granting the privilege to the SQL Server engine service account, which is still sometimes done by administrators. The service account is subject to change, and if changed, SQL Server could unexpectedly lose the IFI privilege. But the per-service SID remains the same for the lifetime of the instance, which avoids this risk.

    Wednesday, December 5, 2018 3:36 PM

All replies

  • So you are saying that you gave your SQL Server service account to run SQL Server database engine service and then on config page you also made sure you add this account for Perform volume task priv and after installation it is showing the NT Service\MSSQLSERVER ?

    Are you sure you did this configuration correctly


    Cheers,

    Shashank

    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

    My TechNet Wiki Articles

    MVP

    Monday, March 20, 2017 2:46 PM
    Moderator
  • Hi, Shanky_621

    On "Server Configuration" page on "Service Accounts" tab, you have the option to set the SQL Server Database Engine service account and you have the check box "Grant Perform Volume Maintenance Task privilege to SQL Server Database Engine Service"

    I set the SQL Server Database Engine service account to use Windows domain account and I checked the check box.

    After install the ConfigurationFile.ini reads:
    ....
    SQLSVCACCOUNT="<domain>\<user>"
    ; Set to "True" to enable instant file initialization for SQL Server service. If enabled, Setup will grant Perform Volume Maintenance Task privilege to the Database Engine Service SID. This may lead to information disclosure as it could allow deleted content to be accessed by an unauthorized principal.
    ... 

    I do not see any other way to do this more correct through the Setup Wizard.

    Regards,
    Brynjar

    Monday, March 20, 2017 3:29 PM
  • So you are doing this correct, ignore the warning .

    Cheers,

    Shashank

    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

    My TechNet Wiki Articles

    MVP

    Monday, March 20, 2017 4:06 PM
    Moderator
  • Had the same question as I was seeing identical behavior, found this from a supported technet blog.

    Notably, setup grants the privilege to the per-service SID for the SQL Server instance, e.g. to the NT SERVICE\MSSQL$SQL2016 security principal, for an instance named SQL2016. This is preferable to granting the privilege to the SQL Server engine service account, which is still sometimes done by administrators. The service account is subject to change, and if changed, SQL Server could unexpectedly lose the IFI privilege. But the per-service SID remains the same for the lifetime of the instance, which avoids this risk.

    Wednesday, December 5, 2018 3:36 PM