Changing Passwords and User Accounts
Microsoft SQL Server 2005 services accounts and passwords are linked to Microsoft Windows user accounts and passwords. Changes in one location may require changes in the other.
Changing SQL Server Services Accounts After Installation
After you have installed SQL Server 2005, use SQL Server Configuration Manager to change the assigned password or other properties of any SQL Server–related service. Each service must be changed individually. The new user account takes effect when the service is restarted.
You should not change the passwords for any of the SQL Server service accounts when a failover cluster node is down or offline. If you have to do this, you will need to reset the password again using Configuration Manager when all nodes are back online.
The following rights are granted to the accounts:
- SeServiceLogonRight, which allows the account to run as a service.
- SeLockMemoryPrivilege, which allows the account to use the AWE memory feature of SQL Server.
- SeTcbPrivilege, which allows the account to impersonate other accounts.
If you are running SQL Server in a failover cluster configuration, permissions are also set for all files in the binary and data installation locations for all nodes in the cluster. Permission is also granted for the service account on the Cluster Object.
If you are running Microsoft Windows 2000 and want to use the Windows 2000 Encrypted File System to encrypt any SQL Server files, you must unencrypt the files before you can change the SQL Server service accounts. If you do not unencrypt the files and then reset the SQL Server service accounts, you cannot unencrypt the files.
Changing the current service account for SQL Server to a non-administrator account causes existing full-text catalogs to become inaccessible. Either rebuild and perform a full population of all catalogs belonging to this instance of SQL Server, or switch back to an account with administrator permissions.
You can change the SQLServerAgent service account to a non Windows NT 4.0 administrator account. However, the Windows NT 4.0 account must be a member of the sysadmin fixed server role to run SQL Server Agent.
For more information, see Setting Up Windows Service Accounts. For information about using the Services add-in for Windows to change SQL Server service accounts, see How to change the SQL Server or SQL Server Agent service account without using SQL Enterprise Manager in SQL Server 2000 or SQL Server Configuration Manager in SQL Server 2005.
Windows Passwords Changes
If your Windows password changes after SQL Server 2005 is installed – e.g., your password expires - you must also revise the user account information for SQL Server services in Windows.
To change SQL Server services login account information (Windows 2000)
After changing the SQL Server service account information in Control Panel, you must also change the SQL Server service account in SQL Server Configuration Manager. This allows the service account information for Microsoft Search service to remain synchronized as well.
|Setting strong passwords is essential to the security of your system. Always use strong passwords.|
Although the Microsoft Search service is always assigned to the local system account, the full-text search engine tracks the SQL Server service account in Windows. Full-text search and failover clustering are not available if Windows password changes are not reset.
For more information about creating Windows user accounts, granting advanced user rights, setting password expiration, and managing group memberships, see the Windows documentation or User Manager for Domains Help. For Microsoft Windows 2000 users, see Computer Management or Group Policy Editor in the Windows 2000 documentation.
Help and Information
17 July 2006