Sql-server – SQL Server Service Account – Things to test post change (from Local System to Network Service)

sql serversql-server-2008-r2sql-server-2012

We needed to change the SQL Service Account for the SQL Server Database Engine & Agent Services from Local System as it has extensive predigests.

What are the things that we should do to test within the SQL Server database itself to ensure that there are no issues / permission problems with this change?

Note the service has been changed, and seems to be running fine Both Agent Services / SQL Server Engine.

The two versions we are implementing this in are SQL Server 2008 R2 and SQL Server 2012.

Best Answer

In Short: Everything and Anything. And Nothing.

But seriously: A few thoughts about changing the SQL Server service account:

ALWAYS use the SQL Server configuration manager. This tool is smart. It knows what permissions need to be assigned to the service account. And generally does it. If you change it from windows services control panel - GOOD LUCK.
The service account is how SQL Server interacts locally and to the network. So moving from local system - you shouldn't care about breaking networked connections - since they wouldn't work anyway. But you would generally want to make sure things like "Will SQL Server start?" happen (that means it can at least read the drives that master/model/msdb/tempdb and the error logs are on). And that verifies the registry.
If you assigned Perform Volume Maintenance Tasks to a SQL Server service account before - that will likely need to be assigned again.
Generally this is a safe move. As long as you do it through the SQL Server configuration manager. Often we'll see folks do this through windows services control panel, something breaks, so they quickly grant their service account local admin rights - and "poof!" everything works.

In your particular case though - you are moving from one special privileged account to another. As you have seen - you were safe and things worked. I would also take this time to question the choice of the service account.

Are you on a domain? Why not use a domain user account per the best practices? The local accounts with special privileges are not the most secure or reliable service account choices. This article from Microsoft explains more there.

Related Solutions

Sql-server – SQL Server Service Account login or password is not valid error

The issue isn't with the account you are attempting to use, but your account. If you look in the setup log file, which is created during the installation of the SQL Server application, you will see the details of the issue, with technical jargon that will indicate the issue is probably a permission issue with your account having permission to perform a check on the service account credentials:

Slp: Sco: Attempting to check if container ‘WinNT://DOMAIN’ of user account exists
Slp: UserSecurity.ValidateCredentials — Exception caught and ignored, exception is Access is denied.
Slp: UserSecurity.ValidateCredentials — user validation failed

Rebooting usually fixes this issue, as does changing the service account value after installation is complete. A minor issue that sometimes appears.

Sql-server – database mirror problem with Network Service account

Use a local system account, or create a local or domain account.

The NetworkService account has its limitations as that documentation explains.

Best Answer

Related Solutions

Sql-server – SQL Server Service Account login or password is not valid error

Sql-server – database mirror problem with Network Service account

Related Question