SQL server Virtual account and folder permissions
-
29-09-2020 - |
문제
How does SQL server 2012 still work after changing the Service account to a domain account or even a local account. For example: as mentioned in MSDN
https://msdn.microsoft.com/en-us/library/ms143504.aspx#VA_Desc
This folder Instid\MSSQL\data
has full control privileges to the virtual account NT service\MSSQLSERVER
. But I am confused how SQL server still starts after changing the service account to a domain or local account as this new service account will not be having privileges to this particular folder unless we explicitly provide it. And from what I tested, SQL Server fails to start if you remove NT service\MSSQLSERVER
from Instid\MSSQL\data
folder's permissions.
So does this mean any account which is a SQL server service account is automatically added to NT service\MSSQLSERVER
group?, How does this work?
해결책
As long as you change the service account being used by using the SQL Configuration Manager, then it will configure all the necessary permissions for the new service account.
https://msdn.microsoft.com/en-us/library/ms143504%28SQL.110%29.aspx#Serv_SID
Note that the mechanism that happens under the hood to grant these permissions has changed with the different versions of SQL, according to this discussion: https://social.msdn.microsoft.com/Forums/sqlserver/en-US/9e6bb2de-8fd0-45de-ab02-d59bbe05f72e/servicedatabase-accounts-nt-servicemssqlserver-nt-servicesqlserveragent-what-are-they-for?forum=sqlsecurity