mssqltips logo

SQL Server Service Account Privileges

By:   |   Updated: 2007-02-20   |   Comments (1)   |   Related: 1 | 2 | 3 | 4 | More > Security

Problem
SQL Server 2005 Books Online indicates that the SQL Server service account requires permission to start the following related services (among many other requirements): SQL Server Active Directory Helper and SQL Server VSS Writer services. How can I verify service-related permissions for the SQL Server service account?

Solution
Obviously, the service really would not NEED permissions to start these services if you were not going to make use of them.  Let's assume for the moment that we are going to do so, and that you want to determine first of all if the SQL Server service account has these permissions and/or what permissions the account has to services on the machine in question.

A tool called "AccessChk" will allow you to see this type of information, along with lots of other access-related information for given accounts. You can find information on the tool at the following link - http://www.microsoft.com/technet/sysinternals/utilities/AccessChk.mspx.

As an example, the following command line will give you effective permissions to all services on the local machine for an account named "LTCBOYDMS\sqlService":

accesschk "LTCBOYDMS\sqlService" -vc *

To determine service-related permissions, the -c option must be used. Without it, you get by default ACL information for files/folders/shares and other information, which is also handy in many situations. If you specify the wildcard character (i.e. *), you will get permission related information for the given account against ALL services on the machine.  If you are looking for only a specific service information, you can replace the wildcard with the appropriate service name.  For example, to get effective permissions to only the SQLWriter.exe service (the executable called for the SQL Server VSS Writer service), you could use the following command:

accesschk "LTCBOYDMS\sqlService" -vc "SQLWriter"

An example command for the Active Directory Helper service, would be something like the following:
 

accesschk "LTCBOYDMS\sqlService" -vc "MSSQLServerADHelper"

The output from the command should look similar to the following:

C:\Projects\Toolbox\accessCheck>accesschk.exe "DUMMYDOMAIN\svcSqlService" -vc *

AccessChk v2.0 - Check account access of files, registry keys or services
Copyright (C) 2006 Mark Russinovich
Sysinternals - www.sysinternals.com
 

RW Alerter
SERVICE_ALL_ACCESS
 

RW ALG
SERVICE_ALL_ACCESS
 

RW MSSQL$SQL2000
SERVICE_ALL_ACCESS
 

RW MSSQL$SQL2005
SERVICE_ALL_ACCESS
 

RW MSSQL$SQL2005B
SERVICE_ALL_ACCESS
 

RW MSSQL$SQLEXPRESS
SERVICE_ALL_ACCESS
 

RW MSSQLServerADHelper
SERVICE_ALL_ACCESS

<<<Results abbreviated>>>

R Pml Driver HPZ12
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_PAUSE_CONTINUE
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL


<<<Results abbreviated>>>
 

RW SQLBrowser
SERVICE_ALL_ACCESS
 

RW SQLWriter
SERVICE_ALL_ACCESS
 

<<<Results abbreviated>>>

C:\Projects\Toolbox\accessCheck>

 

In the output, the "RW" designators at the beginning of each line indicate Read/Write privileges (if present), then the service name, then using the -v option will provide you the additional output shown below each service above. The SERVICE_ALL_ACCESS implies all access, if you don't have that, you should see individual service related privileges like in the line above for the "Pml Driver HPZ12" service.

Next Steps



Last Updated: 2007-02-20


get scripts

next tip button



About the author




Post a comment or let the author know this tip helped.

All comments are reviewed, so stay on subject or we may delete your comment. Note: your email address is not published. Required fields are marked with an asterisk (*).

*Name
*Email
Email me updates

Signup for our newsletter

I agree by submitting my data to receive communications, account updates and/or special offers about SQL Server from MSSQLTips and/or its Sponsors. I have read the privacy statement and understand I may unsubscribe at any time.





Thursday, April 19, 2012 - 9:15:48 AM - Jim Back To Top

accesschk link is http://technet.microsoft.com/en-us/sysinternals/bb664922



download

























get free sql tips

I agree by submitting my data to receive communications, account updates and/or special offers about SQL Server from MSSQLTips and/or its Sponsors. I have read the privacy statement and understand I may unsubscribe at any time.



Learn more about SQL Server tools