Sql-server – Do NT Service accounts need to be SysAdmin when using Domain Accounts

Securitysql serversql server 2014

I'm not sure if I'm googling for the wrong thing but I can't find an answer. We're running SQL 2014. The SQL Server and SQL Agent processes are both running under Domain Managed Service Accounts.

When SQL was installed NT SERVICE\MSSQLSERVER, NT SERVICE\SQLSERVERAGENT, NT SERVICE\SQLWriter, NT SERVICE\Winmgmt are all setup as SysAdmins.

If I am running SQL and SQL Agent as a Domain user, do I still need these NT Service accounts, and/or do they need to be SysAdmin?

Best Answer

If I am running SQL and SQL Agent as a Domain user, do I still need these NT Service accounts, and/or do they need to be SysAdmin?

Even if you are running SQL server as domain account, keep those NT SERVICE\* as is.

From BOL :

Virtual accounts in Windows Server 2008 R2 and Windows 7 are managed local accounts that provide the following features to simplify service administration. The virtual account is auto-managed, and the virtual account can access the network in a domain environment. If the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2 or Windows 7, a virtual account using the instance name as the service name is used, in the format NT SERVICE\<SERVICENAME>

These logins are members of the sysadmin fixed server role, so they can do anything in the Database Engine. Keep them in SYSADMIN role even if you are using Domain account. See SQL Server Per-service SID Login and Privileges section.

A really good answer detailing above stuff - Service/Database Accounts - NT SERVICE\MSSQLSERVER & NT SERVICE\SQLSERVERAGENT … what are they for ?

These accounts can't be selected in the list of available built-in accounts, local accounts or domain accounts. This is because they are services, not accounts. They have a security identifier (SID) in Windows, but Windows knows they aren't real users. Windows can authenticate them, but they don't have passwords that any human can use. If you run lusrmgr.msc and look at the groups, you will see groups like SQLServerMSSQLUser$computername$MSSQLSERVER and NT SERVICE\MSSQLSERVER is a member of the group.

Related Question