Troubleshooting SQL Server Services Accounts
If you have difficulty starting either the MSSQLServer or SQLServerAgent service under a particular user account, you can:
- Use Windows NT User Manager to verify that the account has Log on as a service rights on the computer. (Both of these must be assigned within the security context of the local computer, not the domain.)
If services are started by someone who is not a member of the Windows NT local administrators group, the service account must have these permissions:
- Full control of the main Microsoft SQL Server directory (by default, \Mssql7).
- Full control of the SQL Server database files, regardless of storage location.
- The Log on as a service right. Ensure that all logon hours are allowed in the Logon Hours dialog box.
- Full control of registry keys at and below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer.
- Selection of the Password Never Expires box.
- Full control of registry keys at and below HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLServer.
- Full control of registry keys at and below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib.
If the service does not have the appropriate permissions, certain functionality cannot be accomplished. For example, to write to a mail slot, the service must have a Windows NT domain user account, not just local system, with network write privileges. The service must be a Windows NT account with local administrator privileges to:
- Create SQL Server Agent CmdExec and ActiveX Script jobs not belonging to members of the sysadmin role.
- Use the automatic server restart feature of SQL Server Agent.
- Create SQL Server Agent jobs to be run when the server is idle.
- For the MSSQLServer service, right-click the server, click Properties, and then click the Security tab. Under Startup service account, enter the appropriate account and password. If the password is incorrect or has changed, the service cannot be started until the correct password is entered.
Caution For the MSDTC service only, use Services in Control Panel to reenter the user account password. If the password is incorrect or has changed, the service cannot be started until the correct password is entered. If necessary, change the account's password using User Manager, and then enter that password for the service using Services in Control Panel.
- For the SQLServerAgent service, expand the server, and then expand Management. Right-click SQLServerAgent and click Properties. On the General tab (the default) in the Service startup account section, enter the account and password.
- Assign the account experiencing the problem to another service. If you still have difficulty starting the MSSQLServer or SQLServerAgent service under a particular user account, assign that account to another service (for example, the Spooler service) and verify that the service can be started successfully. If not, the account is either not configured properly or cannot be validated by the domain controller (for example, if no domain controller is available).