none
SQL Express 2005 SP2 and Local Service account

    Question

  • I'm trying to do an unattended install of SQL Express 2005 SP2, and specify that the service runs under the Local Service account.  Prior versions of SQL Express worked fine.
     
    With SQL Express 2005 SP2, however, the install fails on XP Pro SP2.  It *does* work on Winows 2003 Server.
     
    Here's the command line I'm using:
     
    SQLEXPR.EXE /QB ADDLOCAL=ALL INSTANCENAME=FOO SECURITYMODE=SQL SAPWD=BAR SQLACCOUNT="NT AUTHORITY\LOCAL SERVICE"
     
    It fails at the end of the install, saying it can't start the service.  If I use "NETWORK SERVICE", it works fine, but that's more privileges than I want the service to have.  Is there something else on the command line that I can try to get it to work?
     
    Is this even supported?
    -Dave
    Tuesday, March 13, 2007 8:59 PM

Answers

All replies

  • Use the account "NT AUTHORITY\SYSTEM" for local system account.

    This account may be localized on localized operating systems. Please double-check it when it is used on localized operating system.

     

    Tuesday, March 13, 2007 10:21 PM
  • WAIT - I didn't make it clear enough in my initial post.
     
    I can get SQL running if I make it admin.  But I don't want it to run as a local admin.  I want it to run with restricted permissions.
    • Local System - has full access to the local machine
    • Network Service - restricted access to local machine, but can use remote resources, using the local machine's credentials.
    • Local Service - restricted access to local machine, can only access remote resources anonymously.
    We're installing SQL Express for the user (our product uses it).  In the event that it's compromised, I don't want the service to have any more permissions than it actually needs.
     
    Local Service has worked for us in the past -- it's only breaking with SQL Express 2005 SP2 on XP PRO SP2.
     
    Has anyone gotten this to work?
    -Dave
    Wednesday, March 14, 2007 1:35 PM
  • 'NT Authority\NetworkService' is the second best option.

    The best option is to create a specific domain account for SQL Server and SQL Server Agent, and provide those domain accounts JUST the minimum permissions required.

    See these resources:

    Configuration -Service Accounts, SQL Server 2005 - Setting Up Windows Service Accounts
    http://msdn2.microsoft.com/en-us/library/ms143691.aspx
    http://msdn2.microsoft.com/en-us/library/ms143504.aspx

    Configuration -Service Accounts, SQL Server or SQL Server Agent service account
    http://support.microsoft.com/kb/283811/en-us
    http://msdn2.microsoft.com/en-us/library/ms143691.aspx

    Configuration -Service Accounts,Selecting an Account for the SQL Server Agent Service
    http://msdn2.microsoft.com/en-us/library/ms191543.aspx
    http://support.microsoft.com/kb/907557

     

    Wednesday, March 14, 2007 3:41 PM
    Moderator
  • I really need to use LocalService for my application.
     
    I agree that a domain account would be the best choice, but my users won't be able to create a domain account during installation.  And your first two links (which are very good) are the ones that suggested LocalService is the next best choice.  In fact they specifically recommend NOT using NetworkService.
     
    Here's the kicker -- in experimenting, I've found that I can install as NetworkService (installation works) and then go modify the service to use the LocalService account using the configuration tool.  So it seems like LocalService is supported.  Remember: prior to SP2 of SQLExpress 2005 it worked, and even the SP2 kit installs correctly on Windows 2003 server.  I just can't get it to install on XP SP2. 
     
    I'm trying to find out if there's a bug in the SQL 2005 SP2 installer, or if there's something I'm missing in how I'm doing the install.
     
    Has anyone been able to do an unattended install of SQL 2005 SP2 that uses the LocalService account?  On XP SP2?
     
    -Dave
     
     
     
     
    Wednesday, March 14, 2007 4:07 PM
  • Ok - I found the answer.  LocalService is not supported for the SQL Agent service.
     
    According to http://msdn2.microsoft.com/en-us/library/ms191543.aspx SQL Server Agent doesn't support LocalService.
    And, according to  http://msdn2.microsoft.com/en-us/library/ms143504.aspx SQL Server and SQL Agent should use the same account.
     
    So, if I want a really secure SQL server install, I have to use a Domain User.  But since my users can't create domain accounts, I'll simply fallback and take the default install, which uses NetworkService as the service's account.
     
    -Dave
    Wednesday, March 14, 2007 9:04 PM
  • I have had the same issues and have done the same thing and am going with the same. i know this is years later, but I am still using the same SQL ed.
    Sunday, April 15, 2012 4:14 AM