SQL Server Desktop Engine Runs Under the Local System Account (332100)


The information in this article applies to:

  • Microsoft Internet Information Services
  • Microsoft Internet Information Services version 6.0
This article was previously published under Q332100
Bug #: 634621 (Windows Bugs)

SUMMARY

SQL Server Desktop Engine (also known as MSDE 2000) runs under the MSSQLServer service and SQL Server Agent. By default, the SQLServer service and SQL Server Agent are configured to run under the local system account.

MORE INFORMATION

When the Web Application Server role includes a SQL Server Desktop Engine component, the logon account for MSSQL$WEBDB MSDE is the local system account. This information is reported in the Services.msc file. Microsoft recommends that you run the MSSQLServer service, SQL Server Agent, and SQL Server Desktop Engine under a Microsoft Windows NT account, not under the local system account.

The Windows NT account should have the following Windows rights:
  • Bypass traverse checking
  • Increase quotas
  • Lock pages in memory
  • Log on as a batch job
  • Log on as a service
  • Replace a Process Level Token
  • Act as part of the operating system
The Windows NT account should have Full Control permissions for the startup account for the MSSQLServer service on the NTFS file system folders. This account should be a local Windows NT account or a domain Windows NT account. One example of an instance name is WEBDB: D:\Program Files\Microsoft SQL Server\MSSQL$WEBDB\. The subfolders and files must also have the same NTFS permissions.

The Windows NT account should have the following registry key permissions. Set Full Control permissions for the startup account for the MSSQLServer service on the following registry keys for a named instance WEBDB:
  • HKEY_LOCAL_MACHINE\Software\Clients\Mail
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\80
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\MSSQL$WEBDB\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Search
Note The startup account should be a local Windows NT account or a domain Windows NT account.

To change the logon account for SQL Server Desktop Engine from Services, right-click the MSSQL$WEBDB service. To configure a local account or a domain account that is only assigned permissions to access database and Web content, click the Log On tab in the MSSQL$WEBDB Service dialog box, click This account, and then type the user name and password information.
Modification Type:MajorLast Reviewed:7/2/2003
Keywords:kbinfo kbpending kbprb KB332100 kbAudDeveloper
©2003 Microsoft Corporation. All rights reserved.