Account for the SQL Server Agent Service

Agent runs as a specified user account. You select an account for the SQL Server Agent service by using SQL Server Configuration Manager. Replace SYSTEMUSER with created user.

Make following GPO changes made for SQL server GPO.

From "Windows Domain Account Permissions" and "Windows Group Membership" http://msdn.microsoft.com/en-us/library/ms191543.aspx

  • Add Log on as a service to SYSTEMUSER
  • Add Pre-Windows 2000 Compatible Access group to SYSTEMUSER
  • Add bypass traverse checking to SYSTEMUSER
  • Add replace a process-level token SYSTEMUSER
  • Add adjust memory quotas for a process SYSTEMUSER
  • Add log on using the batch logon type SYSTEMUSER
  • Add new restricted group “Pre-Windows 2000 Compatible Access” to GPO with user SYSTEMUSER

Changes required in MSSQL (not performed) must be performed by user with permissions to MSSQL locally on the server:

The account must be a member of the sysadmin fixed server role. To use multiserver job processing, the account must be a member of the msdb database role TargetServersRole on the master server.

There is a note on the page which discusses membership in the Local Administrators Group:

For improved security, the SQL Server Agent service account should not be a member of the local Administrators group. However, there are limitations for using multiserver administration when the SQL Server Agent service account is not a member of the local Administrators group. For more information, see Service Account Types Supported for SQL Server Agent.

Currently SYSTEMUSER is a member of the Local Administrators Group. add/remove to test if you wish.

Was this answer helpful?

 Print this Article

Also Read

Blank or Black Screen after Welcome Screen

If after logging into a server or workstation you receive a blank or black screen directly after...

The Windows Filtering Platform has blocked a bind to a local port

If you see error event 5152, 5157, and/or 5159 being logged on your Windows 2008 Server(s) which...