SQL Server Managed Service account

Original address: http://www.cnblogs.com/jfzhu/p/4007472.html

Reprint please indicate the source

(a) login account used by Windows services

Windows services can access resources and objects in the operating system only if they are logged on to an account. Services generally do not change the default logon account, which may cause the service to fail. If the selected account does not have sufficient permissions, the Services snap-in for Microsoft Management Console (MMC) automatically grants the account the user right to log on to the service on the managed computer. Windows Server Services can use a domain account or three built-in local accounts as the logon account for each system service, and three built-in accounts without a password:

(1) Local System account: The Local System account is powerful, it has full access to the system

(2) Local services account (NT authority\local Service)

(3) Network Services account (NT Authority\Network Service)

Most of the services in the system use the above three built-in local accounts as login accounts.

(ii) Managed Service account

There are some issues with using domain accounts and built-in accounts in some cases, assuming that the SQL Server service is using the Local System account, other services that use the Local System account can connect to the SQL Server database, and if you are using a domain account, After the password of the domain account is changed, the login account password of these services should be changed manually in Services.msc, and if the password of the domain account used by the service is set to never expire, it will leave a system security risk, so from Windows Server 2008 R2 and Windows 7, a new feature managed the service account (managed service accounts) came into being. The password for the managed service account is generated by the system and changed every 30 days, and the login account that uses the managed service account as the Windows service does not need to set a password. The managed service account is only bound to be used on a single computer. In order to isolate different Windows services, a managed service account should be used only for one service.

(iii) Managed Service account in SQL Server 2012

SQL Server 2012 creates a managed service account for each SQL Server-related service, with the exception of SQL Server browser and Analysis service. How to install SQL Server, see the installation of step by step SQL Server 2012.

The managed service account naming conventions used by SQL Server are the following table

Service Name	Instance	Service account naming convention
Database Engine	Default	MSSQLServer
Agent Service	Default	SQLServerAgent
Reporting Server	Default	ReportServer
Analysis Service	Default	MSSQLServerOLAPService
Fulltext Service	Default	Mssqlfdlauncher
Database Engine	InstanceName	Mssql$instancename
Agent Service	InstanceName	Sqlagent$instancename
Reporting Server	InstanceName	Reportserver$instancename
Analysis Service	InstanceName	Msolap$instancename
Fulltext Service	InstanceName	Mssqlfdlauncher$instancename
Integration Service	Not applicable	MSDtsServer110

Check that the service account used by Database engine and SQL Server Agent in SQL Server is assigned the SA role.

Summarize:

(1) In previous systems, the Windows service could use a domain account or three built-in local accounts as a login account. The local System, NT Authority\Local service, and NT AUTHORITY\NETWORK Service are the three native accounts. When you select a Windows service login account, the account can have no permissions, and the MMC Service snap-in automatically grants the account the user right to log on to the service on the managed computer.

(2) Managed service account starts appearing from Windows 7 and Windows R2, and with this type of accounts, the system can automatically process the account password for you.

(3) SQL Server 2012 creates a managed service account for each SQL Server-related service (except SQL Server browser and Analysis service).

SQL Server Managed Service account