Beginnend mit SQL Server 2012 werden die Dienste eines SQL Servers einer Service SID zugeordnet. Diese Service SID isoliert die SQL Services von unnötigen Systemzugriffen. In einigen Fällen kann es notwendig sein einer entsprechenden Service SID Berechtigungen im Dateisystem zur Verfügung zu stellen. Dies ist z.B. notwendig wenn der Standardpfad für die Datenbankdateien geändert wird. In dem vorgesehenen Dateipfad müssen zuvor entsprechende Berechtigung gesetzt werden. Das setzen der Berechtigung wird im Prinzip wie für ein normales Konto durchgeführt. Jedoch wird eine Service SID nicht im entsprechenden Windows Dialog angezeigt. Diese müssen manuell Eingetragen werden:
SQL Server Service |
Permissions granted by SQL Server Setup |
SQL Server Database Engine:
(All rights are granted to the per-service SID. Default instance: NT SERVICE\MSSQLSERVER. Named instance: NT SERVICE\MSSQL$InstanceName.) |
Log on as a service (SeServiceLogonRight)
Replace a process-level token (SeAssignPrimaryTokenPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) Permission to start SQL Writer Permission to read the Event Log service Permission to read the Remote Procedure Call service |
SQL Server Agent: *
(All rights are granted to the per-service SID. Default instance: NT Service\SQLSERVERAGENT. Named instance: NT Service\SQLAGENT$InstanceName.) |
Log on as a service (SeServiceLogonRight)
Replace a process-level token (SeAssignPrimaryTokenPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) |
SSAS:
(All rights are granted to a local Windows group. Default instance: SQLServerMSASUser$ComputerName$MSSQLSERVER. Named instance: SQLServerMSASUser$ComputerName$InstanceName. Power Pivot for SharePoint instance: SQLServerMSASUser$ComputerName$PowerPivot.) |
Log on as a service (SeServiceLogonRight)
For tabular only: Increase a process working set (SeIncreaseWorkingSetPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaSizePrivilege) Lock pages in memory (SeLockMemoryPrivilege) – this is needed only when paging is turned off entirely. For failover cluster installations only: Increase scheduling priority (SeIncreaseBasePriorityPrivilege) |
SSRS:
(All rights are granted to the per-service SID. Default instance: NT SERVICE\ReportServer. Named instance: NT SERVICE\$InstanceName.) |
Log on as a service (SeServiceLogonRight) |
SSIS:
(All rights are granted to the per-service SID. Default instance and named instance: NT SERVICE\MsDtsServer130. Integration Services does not have a separate process for a named instance.) |
Log on as a service (SeServiceLogonRight)
Permission to write to application event log. Bypass traverse checking (SeChangeNotifyPrivilege) Impersonate a client after authentication (SeImpersonatePrivilege) |
Full-text search:
(All rights are granted to the per-service SID. Default instance: NT Service\MSSQLFDLauncher. Named instance: NT Service\ MSSQLFDLauncher$InstanceName.) |
Log on as a service (SeServiceLogonRight)
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege) |
SQL Server Browser:
(All rights are granted to a local Windows group. Default or named instance: SQLServer2005SQLBrowserUser$ComputerName. SQL Server Browser does not have a separate process for a named instance.) |
Log on as a service (SeServiceLogonRight) |
SQL Server VSS Writer:
(All rights are granted to the per-service SID. Default or named instance: NT Service\SQLWriter. SQL Server VSS Writer does not have a separate process for a named instance.) |
The SQLWriter service runs under the LOCAL SYSTEM account which has all the required permissions. SQL Server setup does not check or grant permissions for this service. |
SQL Server Distributed Replay Controller: | Log on as a service (SeServiceLogonRight) |
SQL Server Distributed Replay Client: | Log on as a service (SeServiceLogonRight) |
Quelle:
http://msdn.microsoft.com/en-us/library/ms143504.aspx