配置 Windows 服务帐户和权限Configure Windows Service Accounts and Permissions

SQL ServerSQL Server 中的每个服务表示一个进程或一组进程,用于通过 Windows 管理 SQL ServerSQL Server 操作的身份验证。Each service in SQL ServerSQL Server represents a process or a set of processes to manage authentication of SQL ServerSQL Server operations with Windows. 本主题介绍此 SQL ServerSQL Server版本中服务的默认配置,以及可以在 SQL ServerSQL Server 安装过程中以及安装之后设置的 SQL ServerSQL Server 服务的配置选项。This topic describes the default configuration of services in this release of SQL ServerSQL Server, and configuration options for SQL ServerSQL Server services that you can set during and after SQL ServerSQL Server installation.

目录Contents

本主题分为以下几个部分:This topic is divided into the following sections:

SQL ServerSQL Server 安装的服务Services Installed by SQL ServerSQL Server

根据您决定安装的组件, SQL ServerSQL Server 安装程序将安装以下服务:Depending on the components that you decide to install, SQL ServerSQL Server Setup installs the following services:

  • SQL ServerSQL Server Database Services - 用于 SQL ServerSQL Server 关系 数据库引擎Database Engine的服务。SQL ServerSQL Server Database Services - The service for the SQL ServerSQL Server relational 数据库引擎Database Engine. 可执行文件为 <MSSQLPATH>\MSSQL\Binn\sqlservr.exe。The executable file is <MSSQLPATH>\MSSQL\Binn\sqlservr.exe.

  • SQL ServerSQL Server 代理 - 执行作业、监视 SQL ServerSQL Server、激发警报以及允许自动执行某些管理任务。SQL ServerSQL Server Agent - Executes jobs, monitors SQL ServerSQL Server, fires alerts, and enables automation of some administrative tasks. SQL ServerSQL Server 代理服务在 SQL Server ExpressSQL Server Express的实例上存在,但处于禁用状态。The SQL ServerSQL Server Agent service is present but disabled on instances of SQL Server ExpressSQL Server Express. 可执行文件为 <MSSQLPATH>\MSSQL\Binn\sqlagent.exe。The executable file is <MSSQLPATH>\MSSQL\Binn\sqlagent.exe.

  • Analysis ServicesAnalysis Services - 为商业智能应用程序提供联机分析处理 (OLAP) 和数据挖掘功能。Analysis ServicesAnalysis Services - Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications. 可执行文件为 <MSSQLPATH>\OLAP\Bin\msmdsrv.exe。The executable file is <MSSQLPATH>\OLAP\Bin\msmdsrv.exe.

  • Reporting ServicesReporting Services - 管理、执行、创建、计划和传递报表。Reporting ServicesReporting Services - Manages, executes, creates, schedules, and delivers reports. 可执行文件为 <MSSQLPATH>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe。The executable file is <MSSQLPATH>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe.

  • Integration ServicesIntegration Services - 为 Integration ServicesIntegration Services 包的存储和执行提供管理支持。Integration ServicesIntegration Services - Provides management support for Integration ServicesIntegration Services package storage and execution. 可执行文件路径是 <MSSQLPATH > \120\DTS\Binn\MsDtsSrvr.exeThe executable path is <MSSQLPATH>\120\DTS\Binn\MsDtsSrvr.exe

  • SQL ServerSQL Server Browser - 向客户端计算机提供 SQL ServerSQL Server 连接信息的名称解析服务。SQL ServerSQL Server Browser - The name resolution service that provides SQL ServerSQL Server connection information for client computers. 可执行文件的路径为 c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exeThe executable path is c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe

  • 全文搜索 - 对结构化和半结构化数据的内容和属性快速创建全文索引,从而为 SQL ServerSQL Server提供文档筛选和断字功能。Full-text search - Quickly creates full-text indexes on content and properties of structured and semistructured data to provide document filtering and word-breaking for SQL ServerSQL Server.

  • SQL 编写器 - 允许备份和还原应用程序在卷影复制服务 (VSS) 框架中运行。SQL Writer - Allows backup and restore applications to operate in the Volume Shadow Copy Service (VSS) framework.

  • SQL ServerSQL Server 分布式重播控制器 - 跨多个分布式重播客户端计算机提供跟踪重播业务流程。SQL ServerSQL Server Distributed Replay Controller - Provides trace replay orchestration across multiple Distributed Replay client computers.

  • SQL ServerSQL Server Distributed Replay 客户端 - 与 Distributed Replay 控制器一起来模拟针对 SQL Server 数据库引擎SQL Server Database Engine实例的并发工作负荷的一台或多台 Distributed Replay 客户端计算机。SQL ServerSQL Server Distributed Replay Client - One or more Distributed Replay client computers that work together with a Distributed Replay controller to simulate concurrent workloads against an instance of the SQL Server 数据库引擎SQL Server Database Engine.

服务属性和配置Service Properties and Configuration

用于启动和运行 SQL ServerSQL Server 的启动帐户可以是 域用户帐户本地用户帐户托管服务帐户虚拟帐户内置系统帐户Startup accounts used to start and run SQL ServerSQL Server can be domain user accounts, local user accounts, managed service accounts, virtual accounts, or built-in system accounts. 若要启动和运行 SQL ServerSQL Server 中的每项服务,这些服务都必须有一个在安装过程中配置的启动帐户。To start and run, each service in SQL ServerSQL Server must have a startup account configured during installation.

此部分介绍可配置为启动 SQL ServerSQL Server 服务的帐户、SQL ServerSQL Server 安装程序使用的默认值、Per-service SID 的概念、启动选项以及配置防火墙。This section describes the accounts that can be configured to start SQL ServerSQL Server services, the default values used by SQL ServerSQL Server Setup, the concept of per-service SID's, the startup options, and configuring the firewall.

默认服务帐户Default Service Accounts

下表列出了安装程序在安装所有组件时使用的默认服务帐户。The following table lists the default service accounts used by setup when installing all components. 列出的默认帐户是建议使用的帐户,但特殊注明的除外。The default accounts listed are the recommended accounts, except as noted.

独立服务器或域控制器Stand-alone Server or Domain Controller

组件Component Windows Server 2008(可能为英文页面)Windows Server 2008 Windows 7 和 Windows Server 2008(可能为英文页面)Windows Server 2008 R2 及更高版本Windows 7 and Windows Server 2008(可能为英文页面)Windows Server 2008 R2 and higher
数据库引擎Database Engine NETWORK SERVICENETWORK SERVICE 虚拟帐户 *Virtual Account *
SQL ServerSQL Server 代理Agent NETWORK SERVICENETWORK SERVICE 虚拟帐户 *Virtual Account *
SSASSSAS NETWORK SERVICENETWORK SERVICE 虚拟帐户 *Virtual Account *
SSISSSIS NETWORK SERVICENETWORK SERVICE 虚拟帐户 *Virtual Account *
SSRSSSRS NETWORK SERVICENETWORK SERVICE 虚拟帐户 *Virtual Account *
SQL ServerSQL Server Distributed Replay 控制器Distributed Replay Controller NETWORK SERVICENETWORK SERVICE 虚拟帐户 *Virtual Account *
SQL ServerSQL Server Distributed Replay 客户端Distributed Replay Client NETWORK SERVICENETWORK SERVICE 虚拟帐户 *Virtual Account *
FD 启动器(全文搜索)FD Launcher (Full-text Search) LOCAL SERVICELOCAL SERVICE 虚拟帐户Virtual Account
SQL ServerSQL Server BrowserBrowser LOCAL SERVICELOCAL SERVICE LOCAL SERVICELOCAL SERVICE
SQL ServerSQL Server VSS 编写器VSS Writer LOCAL SYSTEMLOCAL SYSTEM LOCAL SYSTEMLOCAL SYSTEM

*当需要 SQL ServerSQL Server 计算机外部的资源时,MicrosoftMicrosoft 建议使用配置了必需的最小特权的托管服务帐户(MSA)。* When resources external to the SQL ServerSQL Server computer are needed, MicrosoftMicrosoft recommends using a Managed Service Account (MSA), configured with the minimum privileges necessary.

SQL Server 故障转移群集实例SQL Server Failover Cluster Instance

组件Component Windows Server 2008(可能为英文页面)Windows Server 2008 Windows Server 2008(可能为英文页面)Windows Server 2008 R2R2
数据库引擎Database Engine 无。None. 提供 域用户 帐户。Provide a domain user account. 提供 域用户 帐户。Provide a domain user account.
SQL ServerSQL Server 代理Agent 无。None. 提供 域用户 帐户。Provide a domain user account. 提供 域用户 帐户。Provide a domain user account.
SSASSSAS 无。None. 提供 域用户 帐户。Provide a domain user account. 提供 域用户 帐户。Provide a domain user account.
SSISSSIS NETWORK SERVICENETWORK SERVICE 虚拟帐户Virtual Account
SSRSSSRS NETWORK SERVICENETWORK SERVICE 虚拟帐户Virtual Account
FD 启动器(全文搜索)FD Launcher (Full-text Search) LOCAL SERVICELOCAL SERVICE 虚拟帐户Virtual Account
SQL ServerSQL Server BrowserBrowser LOCAL SERVICELOCAL SERVICE LOCAL SERVICELOCAL SERVICE
SQL ServerSQL Server VSS 编写器VSS Writer LOCAL SYSTEMLOCAL SYSTEM LOCAL SYSTEMLOCAL SYSTEM

更改帐户属性Changing Account Properties

重要

  • 始终使用 SQL ServerSQL Server 工具(例如 SQL ServerSQL Server 配置管理器)来更改 SQL Server 数据库引擎SQL Server Database EngineSQL ServerSQL Server 代理服务使用的帐户,或更改帐户的密码。Always use SQL ServerSQL Server tools such as SQL ServerSQL Server Configuration Manager to change the account used by the SQL Server 数据库引擎SQL Server Database Engine or SQL ServerSQL Server Agent services, or to change the password for the account. 除了更改帐户名称以外, SQL ServerSQL Server 配置管理器还可以执行其他配置,例如,更新保护 数据库引擎Database Engine的服务主密钥的 Windows 本地安全存储区。In addition to changing the account name, SQL ServerSQL Server Configuration Manager performs additional configuration such as updating the Windows local security store which protects the service master key for the 数据库引擎Database Engine. 其他工具(例如 Windows 服务控制管理器)可以更改帐户名称,但不更改所有必需的设置。Other tools such as the Windows Services Control Manager can change the account name but do not change all the required settings.
  • 对于您在 SharePoint 场中部署的 Analysis ServicesAnalysis Services 实例,始终使用 SharePoint 管理中心为 PowerPivot 服务PowerPivot service 应用程序和 Analysis Services 服务Analysis Services service更改服务器帐户。For Analysis ServicesAnalysis Services instances that you deploy in a SharePoint farm, always use SharePoint Central Administration to change the server accounts for PowerPivot 服务PowerPivot service applications and the Analysis Services 服务Analysis Services service. 使用管理中心时,关联的设置和权限将更新为使用新的帐户信息。Associated settings and permissions are updated to use the new account information when you use Central Administration.
  • 若要更改 Reporting ServicesReporting Services 选项,请使用 Reporting Services 配置工具。To change Reporting ServicesReporting Services options, use the Reporting Services Configuration Tool.

Windows 7 和 Windows Server 2008 R2 中可用的新帐户类型New Account Types Available with Windows 7 and Windows Server 2008 R2

Windows 7 和 Windows Server 2008 R2 有两种新型的服务帐户,即托管服务帐户 (MSA) 和虚拟帐户。Windows 7 and Windows Server 2008 R2 have two new types of service accounts called managed service accounts (MSA) and virtual accounts. 托管服务帐户和虚拟帐户设计用于向关键应用程序(例如 SQL ServerSQL Server )提供其自己帐户的隔离,同时使管理员无需手动管理这些帐户的服务主体名称 (SPN) 和凭据。Managed service accounts and virtual accounts are designed to provide crucial applications such as SQL ServerSQL Server with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the Service Principal Name (SPN) and credentials for these accounts. 这就使得管理服务帐户用户、密码和 SPN 的过程变得简单得多。These make long term management of service account users, passwords and SPNs much easier.

  • Managed Service AccountsManaged Service Accounts

    托管服务帐户 (MSA) 是一种由域控制器创建和管理的域帐户。A Managed Service Account (MSA) is a type of domain account created and managed by the domain controller. 它分配给单个成员计算机以用于运行服务。It is assigned to a single member computer for use running a service. 域控制器将自动管理密码。The password is managed automatically by the domain controller. 您不能使用 MSA 登录到计算机,但计算机可以使用 MSA 来启动 Windows 服务。You cannot use a MSA to log into a computer, but a computer can use a MSA to start a Windows service. MSA 可以向 Active Directory 注册服务主体名称 (SPN)。An MSA has the ability to register Service Principal Name (SPN) with the Active Directory. MSA 的名称中有一个 $ 后缀,例如 DOMAIN\ACCOUNTNAME$A MSA is named with a $ suffix, for example DOMAIN\ACCOUNTNAME$. 在指定 MSA 时,请将密码留空。When specifying a MSA, leave the password blank. 因为将 MSA 分配给单个计算机,它不能用于 Windows 群集的不同节点。Because a MSA is assigned to a single computer, it cannot be used on different nodes of a Windows cluster.

    备注

    域管理员必须先在 Active Directory 中创建 MSA,然后 SQL ServerSQL Server 安装程序才能将其用于 SQL ServerSQL Server 服务。The MSA must be created in the Active Directory by the domain administrator before SQL ServerSQL Server setup can use it for SQL ServerSQL Server services.

  • 组托管服务帐户Group Managed Service Accounts

    组托管服务帐户是针对多个服务器的 MSA。A Group Managed Service Account is an MSA for multiple servers. Windows 为在一组服务器上运行的服务管理服务帐户。Windows manages a service account for services running on a group of servers. Active Directory 自动更新组托管服务帐户密码,而不重启服务。Active Directory automatically updates the group managed service account password without restarting services. 你可以配置 SQL Server 服务以使用组托管服务帐户主体。You can configure SQL Server services to use a group managed service account principal. 从 SQL Server 2014 开始,SQL Server 针对独立实例、故障转移群集实例和可用性组,在 Windows Server 2012 R2 和更高版本上支持组托管服务帐户。Beginning with SQL Server 2014, SQL Server supports group managed service accounts on Windows Server 2012 R2 and later for standalone instances, failover cluster instances, and availability groups.

    若要使用 SQL Server 2014 或更高版本的组托管服务帐户,操作系统必须是 Windows Server 2012 R2 或更高版本。To use a group managed service account for SQL Server 2014 or later, the operating system must be Windows Server 2012 R2 or later. 装有 Windows Server 2012 R2 的服务器需要应用 KB 2998082 ,以便服务可以在密码更改后立即登录而不中断。Servers with Windows Server 2012 R2 require KB 2998082 applied so that the services can log in without disruption immediately after a password change.

    有关详细信息,请参阅 组托管服务帐户For more information, see Group Manged Service Accounts

    备注

    域管理员必须先在 Active Directory 中创建组托管服务帐户,然后 SQL ServerSQL Server 安装程序才能将其用于 SQL ServerSQL Server 服务。The group managed service account must be created in the Active Directory by the domain administrator before SQL ServerSQL Server setup can use it for SQL ServerSQL Server services.

  • 虚拟帐户Virtual Accounts

    虚拟帐户(从 Windows Server 2008 R2 和 Windows 7 开始)是“托管的本地帐户” ,此类帐户提供以下功能,可简化服务管理。Virtual accounts (beginning with Windows Server 2008 R2 and Windows 7) are managed local accounts that provide the following features to simplify service administration. 虚拟帐户是自动管理的,并且虚拟帐户可以访问域环境中的网络。The virtual account is auto-managed, and the virtual account can access the network in a domain environment. 如果在安装 SQL ServerSQL Server 期间对服务帐户使用默认值,则将使用将实例名称用作服务名称的虚拟帐户,格式为 NT SERVICE \ SERVICENAME><If the default value is used for the service accounts during SQL ServerSQL Server setup, a virtual account using the instance name as the service name is used, in the format NT SERVICE\<SERVICENAME>. 以虚拟帐户身份运行的服务通过使用计算机帐户的凭据(格式为 <domain_name> \ <computer_name> $ )访问网络资源。Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain_name>\<computer_name>$. 当指定一个虚拟帐户以启动 SQL ServerSQL Server 时,应将密码留空。When specifying a virtual account to start SQL ServerSQL Server, leave the password blank. 如果虚拟帐户无法注册服务主体名称 (SPN),则手动注册该 SPN。If the virtual account fails to register the Service Principal Name (SPN), register the SPN manually. 有关手动注册 SPN 的详细信息,请参阅 手动注册 SPNFor more information on registering a SPN manually, see Manual SPN Registration.

    备注

    虚拟帐户不能用于 SQL ServerSQL Server 故障转移群集实例,因为虚拟帐户在群集的每个节点不会有相同 SID。Virtual accounts cannot be used for SQL ServerSQL Server Failover Cluster Instance, because the virtual account would not have the same SID on each node of the cluster.

    下表列出了虚拟帐户名称的示例。The following table lists examples of virtual account names.

    服务Service 虚拟帐户名称Virtual Account Name
    数据库引擎Database Engine 服务的默认实例Default instance of the 数据库引擎Database Engine service NT SERVICE\MSSQLSERVERNT SERVICE\MSSQLSERVER
    名为 数据库引擎Database Engine服务的命名实例Named instance of a 数据库引擎Database Engine service named PAYROLL NT SERVICE\MSSQL$PAYROLLNT SERVICE\MSSQL$PAYROLL
    SQL ServerSQL Server 代理服务,位于 SQL ServerSQL ServerAgent service on the default instance of SQL ServerSQL Server NT SERVICE\SQLSERVERAGENTNT SERVICE\SQLSERVERAGENT
    SQL ServerSQL Server 代理服务,位于名为 SQL ServerSQL Server PAYROLL Agent service on an instance of SQL ServerSQL Server named PAYROLL NT SERVICE\SQLAGENT$PAYROLLNT SERVICE\SQLAGENT$PAYROLL

有关托管服务帐户和虚拟帐户的详细信息,请参阅 服务帐户分步指南托管服务和虚拟帐户概念 部分以及 托管服务帐户常见问题解答 (FAQ)For more information on Managed Service Accounts and Virtual Accounts, see the Managed service account and virtual account concepts section of Service Accounts Step-by-Step Guide and Managed Service Accounts Frequently Asked Questions (FAQ).

安全说明 始终用尽可能低的用户权限运行 SQL Server 服务。Always run SQL Server services by using the lowest possible user rights. 就会使用 MSAvirtual accountSecurity Note: 始终用尽可能低的用户权限运行 SQL Server 服务。Always run SQL Server services by using the lowest possible user rights. Use a MSA or virtual account when possible. 当无法使用 MSA 和虚拟帐户时,将使用特定的低特权用户帐户或域帐户,而不将共享帐户用于 SQL ServerSQL Server 服务。When MSA and virtual accounts are not possible, use a specific low-privilege user account or domain account instead of a shared account for SQL ServerSQL Server services. 对不同的 SQL ServerSQL Server 服务使用单独的帐户。Use separate accounts for different SQL ServerSQL Server services. 不要向 SQL ServerSQL Server 服务帐户或服务组授予其他权限。Do not grant additional permissions to the SQL ServerSQL Server service account or the service groups. 在支持服务 SID 的情况下,将通过组成员身份或直接将权限授予服务 SID。Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported.

自动启动Automatic Startup

除了具有用户帐户外,每项服务还有用户可控制的三种可能的启动状态:In addition to having user accounts, every service has three possible startup states that users can control:

  • 已禁用 服务已安装但当前未运行。Disabled The service is installed but not currently running.

  • 手动 服务已安装,但仅当另一个服务或应用程序需要该服务的功能时才启动。Manual The service is installed, but will start only when another service or application needs its functionality.

  • 自动 服务由操作系统自动启动。Automatic The service is automatically started by the operating system.

在安装过程中,启动状态处于选中状态。The startup state is selected during setup. 当安装命名实例时, SQL ServerSQL Server Browser 服务应设置为自动启动。When installing a named instance, the SQL ServerSQL Server Browser service should be set to start automatically.

在无人参与的安装过程中配置服务Configuring Services During Unattended Installation

下表显示了可以在安装过程中配置的 SQL ServerSQL Server 服务。The following table shows the SQL ServerSQL Server services that can be configured during installation. 对于无人参与的安装,可以在配置文件中或在命令提示符下使用开关。For unattended installations, you can use the switches in a configuration file or at a command prompt.

SQL Server 服务名称SQL Server service name 用于无人参与安装的开关1Switches for unattended installations1
MSSQLSERVERMSSQLSERVER SQLSVCACCOUNT、SQLSVCPASSWORD、SQLSVCSTARTUPTYPESQLSVCACCOUNT, SQLSVCPASSWORD, SQLSVCSTARTUPTYPE
SQLServerAgent2SQLServerAgent2 AGTSVCACCOUNT、AGTSVCPASSWORD、AGTSVCSTARTUPTYPEAGTSVCACCOUNT, AGTSVCPASSWORD, AGTSVCSTARTUPTYPE
MSSQLServerOLAPServiceMSSQLServerOLAPService ASSVCACCOUNT、ASSVCPASSWORD、ASSVCSTARTUPTYPEASSVCACCOUNT, ASSVCPASSWORD, ASSVCSTARTUPTYPE
ReportServerReportServer RSSVCACCOUNT、RSSVCPASSWORD、RSSVCSTARTUPTYPERSSVCACCOUNT, RSSVCPASSWORD, RSSVCSTARTUPTYPE
Integration ServicesIntegration Services ISSVCACCOUNT、ISSVCPASSWORD、ISSVCSTARTUPTYPEISSVCACCOUNT, ISSVCPASSWORD, ISSVCSTARTUPTYPE
SQL ServerSQL Server Distributed Replay 控制器Distributed Replay Controller DRU_CTLR、CTLRSVCACCOUNT、CTLRSVCPASSWORD、CTLRSTARTUPTYPE、CTLRUSERSDRU_CTLR, CTLRSVCACCOUNT,CTLRSVCPASSWORD, CTLRSTARTUPTYPE, CTLRUSERS
SQL ServerSQL Server Distributed Replay 客户端Distributed Replay Client DRU_CLT、CLTSVCACCOUNT、CLTSVCPASSWORD、CLTSTARTUPTYPE、CLTCTLRNAME、CLTWORKINGDIR、CLTRESULTDIRDRU_CLT, CLTSVCACCOUNT, CLTSVCPASSWORD, CLTSTARTUPTYPE, CLTCTLRNAME, CLTWORKINGDIR, CLTRESULTDIR

1有关无人参与安装的详细信息和示例语法,请参阅从命令提示符安装 SQL Server 20141For more information and sample syntax for unattended installations, see Install SQL Server 2014 from the Command Prompt.

2在具有高级服务的 SQL Server ExpressSQL Server ExpressSQL Server ExpressSQL Server Express 实例上禁用 SQL ServerSQL Server 代理服务。2The SQL ServerSQL Server Agent service is disabled on instances of SQL Server ExpressSQL Server Express and SQL Server ExpressSQL Server Express with Advanced Services.

防火墙端口Firewall Port

在大多数情况下,首次安装时,可以通过与 数据库引擎Database Engine 安装在相同计算机上的 SQL Server Management StudioSQL Server Management Studio 等此类工具连接 SQL ServerSQL ServerIn most cases, when initially installed, the 数据库引擎Database Engine can be connected to by tools such as SQL Server Management StudioSQL Server Management Studio installed on the same computer as SQL ServerSQL Server. SQL ServerSQL Server 安装程序不会在 Windows 防火墙中打开端口。Setup does not open ports in the Windows firewall. 在将 数据库引擎Database Engine 配置为侦听 TCP 端口,并且在 Windows 防火墙中打开适当的端口进行连接之前,将无法从其他计算机建立连接。Connections from other computers may not be possible until the 数据库引擎Database Engine is configured to listen on a TCP port, and the appropriate port is opened for connections in the Windows firewall. 有关详细信息,请参阅 配置 Windows 防火墙以允许 SQL Server 访问For more information, see Configure the Windows Firewall to Allow SQL Server Access.

服务权限Service Permissions

此部分介绍 SQL ServerSQL Server 安装程序为 SQL ServerSQL Server 服务的 Per-service SID 配置的权限。This section describes the permissions that SQL ServerSQL Server Setup configures for the per-service SID's of the SQL ServerSQL Server services.

服务配置和访问控制Service Configuration and Access Control

SQL Server 2014SQL Server 2014 会为其每项服务启用 Per-service SID,以提供深层服务隔离与防御。enables per-service SID for each of its services to provide service isolation and defense in depth. Per-service SID 从服务名称派生得到,对该服务是唯一的。The per-service SID is derived from the service name and is unique to that service. 例如,数据库引擎Database Engine 服务的服务 SID 名称可能是 NT Service\MSSQL$ <InstanceName>For example, a service SID name for the 数据库引擎Database Engine service might be NT Service\MSSQL$<InstanceName>. 通过服务隔离,可直接访问特定的对象,而无需运行高特权帐户,也不会削弱为对象提供的安全保护水平。Service isolation enables access to specific objects without the need to run a high-privilege account or weaken the security protection of the object. 通过使用包含服务 SID 的访问控制项, SQL ServerSQL Server 服务可限制对其资源的访问。By using an access control entry that contains a service SID, a SQL ServerSQL Server service can restrict access to its resources.

备注

在 Windows 7 和 Windows Server 2008(可能为英文页面)Windows Server 2008 R2(及更高版本)上,Per-service SID 可以是服务使用的虚拟帐户。On Windows 7 and Windows Server 2008(可能为英文页面)Windows Server 2008 R2 (and later) the per-service SID can be the virtual account used by the service.

对于大多数组件, SQL ServerSQL Server 直接为 Per-service 帐户配置 ACL,因此,无需重复资源 ACL 过程即可更改此服务帐户。For most components SQL ServerSQL Server configures the ACL for the per-service account directly, so changing the service account can be done without having to repeat the resource ACL process.

当安装 SSASSSAS时,将创建 Analysis ServicesAnalysis Services 服务的 Per-service SID。When installing SSASSSAS, a per-service SID for the Analysis ServicesAnalysis Services service is created. 创建了本地 Windows 组,其命名格式为 SQLServerMSASUser$ computer_name $ instance_nameA local Windows group is created, named in the format SQLServerMSASUser$computer_name$instance_name. Per-service SID NT SERVICE\MSSQLServerOLAPService 已被授予本地 Windows 组中的成员资格,而本地 Windows 组在 ACL 中被授予了适当的权限。The per-service SID NT SERVICE\MSSQLServerOLAPService is granted membership in the local Windows group, and the local Windows group is granted the appropriate permissions in the ACL. 如果更改了用来启动 Analysis ServicesAnalysis Services 服务的帐户, SQL ServerSQL Server 配置管理器必须更改某些 Windows 权限(如作为服务登录的权限),但分配给本地 Windows 组的权限将仍可用且没有任何更新,因为 Per-service SID 没发生变化。If the account used to start the Analysis ServicesAnalysis Services service is changed, SQL ServerSQL Server Configuration Manager must change some Windows permissions (such as the right to log on as a service), but the permissions assigned to the local Windows group will still be available without any updating, because the per-service SID has not changed. 此方法允许在升级过程中重命名 Analysis ServicesAnalysis Services 服务。This method allows the Analysis ServicesAnalysis Services service to be renamed during upgrades.

SQL ServerSQL Server 安装过程中, SQL ServerSQL Server 安装程序为 SSASSSASSQL ServerSQL Server Browser 服务创建一个本地 Windows 组。During SQL ServerSQL Server installation, SQL ServerSQL Server Setup creates a local Windows groups for SSASSSAS and the SQL ServerSQL Server Browser service. 对于这些服务, SQL ServerSQL Server 将为此本地 Windows 组配置 ACL。For these services, SQL ServerSQL Server configures the ACL for the local Windows groups.

在安装或升级期间,系统可能会将服务或服务 SID 的服务帐户添加为服务组的成员,具体取决于服务配置。Depending on the service configuration, the service account for a service or service SID is added as a member of the service group during install or upgrade.

Windows 特权和权限Windows Privileges and Rights

为启动服务分配的帐户需要对于服务的 启动、停止和暂停权限The account assigned to start a service needs the Start, stop and pause permission for the service. SQL ServerSQL Server 安装程序将自动分配此权限。The SQL ServerSQL Server Setup program automatically assigns this. 首先,安装远程服务器管理工具 (RSAT)。First install Remote Server Administration Tools (RSAT). 请参阅 Remote Server Administration Tools for Windows 7(Windows 7 的远程服务器管理工具)。See Remote Server Administration Tools for Windows 7.

下表说明 SQL ServerSQL Server 安装程序为 SQL ServerSQL Server 组件使用的 Per-service SID 或本地 Windows 组请求的权限。The following table shows permissions that SQL ServerSQL Server Setup requests for the per-service SIDs or local Windows groups used by SQL ServerSQL Server components.

SQL ServerSQL Server 服务Service SQL ServerSQL Server 安装程序授予的权限Permissions granted by SQL ServerSQL Server Setup
SQL Server 数据库引擎SQL Server Database Engine:SQL Server 数据库引擎SQL Server Database Engine:

(所有权限都将授予 Per-service SID。(All rights are granted to the per-service SID. 默认实例: NT SERVICE\MSSQLSERVERDefault instance: NT SERVICE\MSSQLSERVER. 命名实例: NT SERVICE\MSSQL$ InstanceName。)Named instance: NT SERVICE\MSSQL$ InstanceName.)
以服务身份登录 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

替换进程级别标记 (SeAssignPrimaryTokenPrivilege)Replace a process-level token (SeAssignPrimaryTokenPrivilege)

跳过遍历检查 (SeChangeNotifyPrivilege)Bypass traverse checking (SeChangeNotifyPrivilege)

调整进程的内存配额 (SeIncreaseQuotaPrivilege)Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

启动 SQL 编写器的权限Permission to start SQL Writer

读取事件日志服务的权限Permission to read the Event Log service

读取远程过程调用服务的权限Permission to read the Remote Procedure Call service
SQL ServerSQL Server 代理: 1SQL ServerSQL Server Agent: 1

(所有权限都将授予 Per-service SID。(All rights are granted to the per-service SID. 默认实例: NT Service\SQLSERVERAGENTDefault instance: NT Service\SQLSERVERAGENT. 命名实例: NT Service\SQLAGENT$ InstanceName。)Named instance: NT Service\SQLAGENT$InstanceName.)
以服务身份登录 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

替换进程级别标记 (SeAssignPrimaryTokenPrivilege)Replace a process-level token (SeAssignPrimaryTokenPrivilege)

跳过遍历检查 (SeChangeNotifyPrivilege)Bypass traverse checking (SeChangeNotifyPrivilege)

调整进程的内存配额 (SeIncreaseQuotaPrivilege)Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
SSASSSAS:SSASSSAS:

(所有权限都授予本地 Windows 组。(All rights are granted to a local Windows group. 默认实例: SQLServerMSASUser$ ComputerName $MSSQLSERVERDefault instance: SQLServerMSASUser$ComputerName$MSSQLSERVER. 命名实例:SQLServerMSASUser$ ComputerName $ InstanceNameNamed instance: SQLServerMSASUser$ComputerName$InstanceName. PowerPivot for SharePointPowerPivot for SharePoint 实例: SQLServerMSASUser$ ComputerName $ PowerPivot。)instance: SQLServerMSASUser$ComputerName$PowerPivot.)
以服务身份登录 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

仅适用于表格:For tabular only:

增加进程工作集 (SeIncreaseWorkingSetPrivilege)Increase a process working set (SeIncreaseWorkingSetPrivilege)

调整进程的内存配额 (SeIncreaseQuotaSizePrivilege)Adjust memory quotas for a process (SeIncreaseQuotaSizePrivilege)

“锁定内存页”(SeLockMemoryPrivilege) - 仅当完全关闭分页时才需要。Lock pages in memory (SeLockMemoryPrivilege) - this is needed only when paging is turned off entirely.

仅适用于故障转移群集安装:For failover cluster installations only:

提高计划优先级 (SeIncreaseBasePriorityPrivilege)Increase scheduling priority (SeIncreaseBasePriorityPrivilege)
SSRSSSRS:SSRSSSRS:

(所有权限都将授予 Per-service SID。(All rights are granted to the per-service SID. 默认实例:NT SERVICE\ReportServerDefault instance: NT SERVICE\ReportServer. 命名实例:NT SERVICE\$ InstanceName。)Named instance: NT SERVICE\$InstanceName.)
以服务身份登录 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)
SSISSSIS:SSISSSIS:

(所有权限都将授予 Per-service SID。(All rights are granted to the per-service SID. 默认实例和命名实例: NT SERVICE\MsDtsServer120Default instance and named instance: NT SERVICE\MsDtsServer120. Integration ServicesIntegration Services 没有针对命名实例的单独进程。)does not have a separate process for a named instance.)
以服务身份登录 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

应用程序事件日志的写入权限。Permission to write to application event log.

跳过遍历检查 (SeChangeNotifyPrivilege)Bypass traverse checking (SeChangeNotifyPrivilege)

身份验证后模拟客户端 (SeImpersonatePrivilege)Impersonate a client after authentication (SeImpersonatePrivilege)
全文搜索:Full-text search:

(所有权限都将授予 Per-service SID。(All rights are granted to the per-service SID. 默认实例: NT Service\MSSQLFDLauncherDefault instance: NT Service\MSSQLFDLauncher. 命名实例: NT Service\ MSSQLFDLauncher$ InstanceName。)Named instance: NT Service\ MSSQLFDLauncher$InstanceName.)
以服务身份登录 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

调整进程的内存配额 (SeIncreaseQuotaPrivilege)Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

跳过遍历检查 (SeChangeNotifyPrivilege)Bypass traverse checking (SeChangeNotifyPrivilege)
SQL ServerSQL Server Browser:SQL ServerSQL Server Browser:

(所有权限都授予本地 Windows 组。(All rights are granted to a local Windows group. 默认实例或命名实例: SQLServer2005SQLBrowserUser $ComputerNameDefault or named instance: SQLServer2005SQLBrowserUser$ComputerName. SQL ServerSQL Server Browser 没有针对命名实例的单独进程。)Browser does not have a separate process for a named instance.)
以服务身份登录 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)
SQL ServerSQL Server VSS 编写器:SQL ServerSQL Server VSS Writer:

(所有权限都将授予 Per-service SID。(All rights are granted to the per-service SID. 默认实例或命名实例: NT Service\SQLWriterDefault or named instance: NT Service\SQLWriter. SQL ServerSQL Server VSS 编写器没有针对命名实例的单独进程。)VSS Writer does not have a separate process for a named instance.)
SQLWriter 服务在具有所需的所有权限的 LOCAL SYSTEM 帐户下运行。The SQLWriter service runs under the LOCAL SYSTEM account which has all the required permissions. SQL ServerSQL Server 安装程序不检查此服务或为其授予权限。setup does not check or grant permissions for this service.
SQL ServerSQL Server Distributed Replay 控制器:SQL ServerSQL Server Distributed Replay Controller: 以服务身份登录 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)
SQL ServerSQL Server Distributed Replay 客户端:SQL ServerSQL Server Distributed Replay Client: 以服务身份登录 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

1SQL Server ExpressSQL Server Express的实例上禁用 SQL ServerSQL Server 代理服务。1The SQL ServerSQL Server Agent service is disabled on instances of SQL Server ExpressSQL Server Express.

授予 SQL Server Per-service SID 或本地 Windows 组的文件系统权限File System Permissions Granted to SQL Server Per-service SIDs or Local Windows Groups

SQL ServerSQL Server 服务帐户必须具有对资源的访问权限。service accounts must have access to resources. 为 Per-service SID 或本地 Windows 组设置了访问控制列表。Access control lists are set for the per-service SID or the local Windows group.

重要

对于故障转移群集安装,必须为本地帐户的 ACL 设置共享磁盘上的资源。For failover cluster installations, resources on shared disks must be set to an ACL for a local account.

下表显示了 SQL ServerSQL Server 安装程序设置的 ACL:The following table shows the ACLs that are set by SQL ServerSQL Server Setup:

服务帐户针对Service account for 文件和文件夹Files and folders 访问Access
MSSQLServerMSSQLServer Instid\MSSQL\backupInstid\MSSQL\backup 完全控制Full control
Instid\MSSQL\binnInstid\MSSQL\binn 读取和执行Read, Execute
Instid\MSSQL\dataInstid\MSSQL\data 完全控制Full control
Instid\MSSQL\FTDataInstid\MSSQL\FTData 完全控制Full control
Instid\MSSQL\InstallInstid\MSSQL\Install 读取和执行Read, Execute
Instid\MSSQL\LogInstid\MSSQL\Log 完全控制Full control
Instid\MSSQL\RepldataInstid\MSSQL\Repldata 完全控制Full control
120\shared120\shared 读取和执行Read, Execute
Instid\MSSQL\Template Data(仅限SQL Server ExpressSQL Server ExpressInstid\MSSQL\Template Data (SQL Server ExpressSQL Server Express only) 读取Read
SQLServerAgent1SQLServerAgent1 Instid\MSSQL\binnInstid\MSSQL\binn 完全控制Full control
Instid\MSSQL\binnInstid\MSSQL\binn 完全控制Full control
Instid\MSSQL\LogInstid\MSSQL\Log 读取、写入、删除和执行Read, Write, Delete, Execute
120\com120\com 读取和执行Read, Execute
120\shared120\shared 读取和执行Read, Execute
120\shared\Errordumps120\shared\Errordumps 读取和写入Read, Write
ServerName\EventLogServerName\EventLog 完全控制Full control
FTSFTS Instid\MSSQL\FTDataInstid\MSSQL\FTData 完全控制Full control
Instid\MSSQL\FTRefInstid\MSSQL\FTRef 读取和执行Read, Execute
120\shared120\shared 读取和执行Read, Execute
120\shared\Errordumps120\shared\Errordumps 读取和写入Read, Write
Instid\MSSQL\InstallInstid\MSSQL\Install 读取和执行Read, Execute
Instid\MSSQL\jobsInstid\MSSQL\jobs 读取和写入Read, Write
MSSQLServerOLAPServiceMSSQLServerOLAPservice 120\shared\ASConfig120\shared\ASConfig 完全控制Full control
Instid\OLAPInstid\OLAP 读取和执行Read, Execute
Instid\Olap\DataInstid\Olap\Data 完全控制Full control
Instid\Olap\LogInstid\Olap\Log 读取和写入Read, Write
Instid\OLAP\BackupInstid\OLAP\Backup 读取和写入Read, Write
Instid\OLAP\TempInstid\OLAP\Temp 读取和写入Read, Write
120\shared\Errordumps120\shared\Errordumps 读取和写入Read, Write
SQLServerReportServerUserSQLServerReportServerUser Instid\Reporting Services\Log FilesInstid\Reporting Services\Log Files 读取、写入、删除Read, Write, Delete
Instid\Reporting Services\ReportServerInstid\Reporting Services\ReportServer 读取和执行Read, Execute
Instid\Reportingservices\Reportserver\global.asaxInstid\Reportingservices\Reportserver\global.asax 完全控制Full control
Instid\Reportingservices\Reportserver\Reportserver.configInstid\Reportingservices\Reportserver\Reportserver.config 读取Read
Instid\Reporting Services\reportManagerInstid\Reporting Services\reportManager 读取和执行Read, Execute
Instid\Reporting Services\RSTempfilesInstid\Reporting Services\RSTempfiles 读取、写入、执行、删除Read, Write, Execute, Delete
120\shared120\shared 读取和执行Read, Execute
120\shared\Errordumps120\shared\Errordumps 读取和写入Read, Write
MSDTSServer100MSDTSServer100 120\dts\binn\MsDtsSrvr.ini.xml120\dts\binn\MsDtsSrvr.ini.xml 读取Read
120\dts\binn120\dts\binn 读取和执行Read, Execute
120\shared120\shared 读取和执行Read, Execute
120\shared\Errordumps120\shared\Errordumps 读取和写入Read, Write
SQL ServerSQL Server BrowserBrowser 120\shared\ASConfig120\shared\ASConfig 读取Read
120\shared120\shared 读取和执行Read, Execute
120\shared\Errordumps120\shared\Errordumps 读取和写入Read, Write
SQLWriterSQLWriter 不适用(以 Local System 身份运行)N/A (Runs as local system)
用户User Instid\MSSQL\binnInstid\MSSQL\binn 读取和执行Read, Execute
Instid\Reporting Services\ReportServerInstid\Reporting Services\ReportServer 读取、执行和列出文件夹内容Read, Execute, List Folder Contents
Instid\Reportingservices\Reportserver\global.asaxInstid\Reportingservices\Reportserver\global.asax 读取Read
Instid\Reporting Services\reportManagerInstid\Reporting Services\ReportManager 读取和执行Read, Execute
Instid\Reporting Services\ReportManager\pagesInstid\Reporting Services\ReportManager\pages 读取Read
Instid\Reporting Services\ReportManager\StylesInstid\Reporting Services\ReportManager\Styles 读取Read
120\dts120\dts 读取和执行Read, Execute
120\tools120\tools 读取和执行Read, Execute
100\tools100\tools 读取和执行Read, Execute
90\tools90\tools 读取和执行Read, Execute
80\tools80\tools 读取和执行Read, Execute
120\sdk120\sdk 读取Read
Microsoft SQL Server\120\Setup BootstrapMicrosoft SQL Server\120\Setup Bootstrap 读取和执行Read, Execute
SQL ServerSQL Server Distributed Replay 控制器Distributed Replay Controller <ToolsDir>\DReplayController\Log\(空目录)<ToolsDir>\DReplayController\Log\ (empty directory) 读取、执行和列出文件夹内容Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\DReplayController.exe<ToolsDir>\DReplayController\DReplayController.exe 读取、执行和列出文件夹内容Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\resources| 读取、执行和列出文件夹内容<ToolsDir>\DReplayController\resources|Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\{all dlls}<ToolsDir>\DReplayController\{all dlls} 读取、执行和列出文件夹内容Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\DReplayController.config<ToolsDir>\DReplayController\DReplayController.config 读取、执行和列出文件夹内容Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\IRTemplate.tdf<ToolsDir>\DReplayController\IRTemplate.tdf 读取、执行和列出文件夹内容Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\IRDefinition.xml<ToolsDir>\DReplayController\IRDefinition.xml 读取、执行和列出文件夹内容Read, Execute, List Folder Contents
SQL ServerSQL Server Distributed Replay 客户端Distributed Replay Client <ToolsDir>\DReplayClient\Log| 读取、执行和列出文件夹内容<ToolsDir>\DReplayClient\Log|Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\DReplayClient.exe<ToolsDir>\DReplayClient\DReplayClient.exe 读取、执行和列出文件夹内容Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\resources| 读取、执行和列出文件夹内容<ToolsDir>\DReplayClient\resources|Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\ (all dlls)<ToolsDir>\DReplayClient\ (all dlls) 读取、执行和列出文件夹内容Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\DReplayClient.config<ToolsDir>\DReplayClient\DReplayClient.config 读取、执行和列出文件夹内容Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\IRTemplate.tdf<ToolsDir>\DReplayClient\IRTemplate.tdf 读取、执行和列出文件夹内容Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\IRDefinition.xml<ToolsDir>\DReplayClient\IRDefinition.xml 读取、执行和列出文件夹内容Read, Execute, List Folder Contents

1在具有高级服务的 SQL Server ExpressSQL Server ExpressSQL Server ExpressSQL Server Express 实例上禁用 SQL ServerSQL Server 代理服务。1The SQL ServerSQL Server Agent service is disabled on instances of SQL Server ExpressSQL Server Express and SQL Server ExpressSQL Server Express with Advanced Services.

当数据库文件存储在用户定义的位置时,您必须授予每个服务 SID 访问该位置的权限。When database files are stored in a user-defined location, you must grant the per-service SID access to that location. 有关将文件系统权限授予 Per-service SID 的详细信息,请参阅 配置数据库引擎访问的文件系统权限For more information about granting file system permissions to a per-service SID, see Configure File System Permissions for Database Engine Access.

授予其他 Windows 用户帐户或组的文件系统权限File System Permissions Granted to Other Windows User Accounts or Groups

可能还必须向内置帐户或其他 SQL ServerSQL Server 服务帐户授予某些访问控制权限。Some access control permissions might have to be granted to built-in accounts or other SQL ServerSQL Server service accounts. 下表列出了 SQL ServerSQL Server 安装程序设置的其他 ACL。The following table lists additional ACLs that are set by SQL ServerSQL Server Setup.

请求组件Requesting component 帐户Account 资源Resource 权限Permissions
MSSQLServerMSSQLServer 性能日志用户Performance Log Users Instid\MSSQL\binnInstid\MSSQL\binn 列出文件夹内容List folder contents
性能监视器用户Performance Monitor Users Instid\MSSQL\binnInstid\MSSQL\binn 列出文件夹内容List folder contents
性能日志用户、性能监视器用户Performance Log Users, Performance Monitor Users \WINNT\system32\sqlctr120.dll\WINNT\system32\sqlctr120.dll 读取和执行Read, Execute
仅限于管理员Administrator only \\.\root\Microsoft\SqlServer\ServerEvents\< sql_instance_name >1\\.\root\Microsoft\SqlServer\ServerEvents\<sql_instance_name>1 完全控制Full control
管理员和系统Administrators, System \tools\binn\schemas\sqlserver\2004\07\showplan\tools\binn\schemas\sqlserver\2004\07\showplan 完全控制Full control
用户Users \tools\binn\schemas\sqlserver\2004\07\showplan\tools\binn\schemas\sqlserver\2004\07\showplan 读取和执行Read, Execute
Reporting ServicesReporting Services <报表服务器 Web 服务帐户><Report Server Web Service Account> install>< \Reporting Services\LogFiles<install> \Reporting Services\LogFiles DELETEDELETE

READ_CONTROLREAD_CONTROL

SYNCHRONIZESYNCHRONIZE

FILE_GENERIC_READFILE_GENERIC_READ

FILE_GENERIC_WRITEFILE_GENERIC_WRITE

FILE_READ_DATAFILE_READ_DATA

FILE_WRITE_DATAFILE_WRITE_DATA

FILE_APPEND_DATAFILE_APPEND_DATA

FILE_READ_EAFILE_READ_EA

FILE_WRITE_EAFILE_WRITE_EA

FILE_READ_ATTRIBUTESFILE_READ_ATTRIBUTES

FILE_WRITE_ATTRIBUTESFILE_WRITE_ATTRIBUTES
报表管理器应用程序池标识、 ASP.NETASP.NET 帐户、EveryoneReport Manager Application pool identity, ASP.NETASP.NET account, Everyone <install> \Reporting Services\ReportManager, <install> \Reporting Services\ReportManager\Pages\*.*, <install> \Reporting Services\ReportManager\Styles\*.*, <install> \Reporting Services\ReportManager\webctrl_client\1_0\。*<install>* \Reporting Services\ReportManager, <install> \Reporting Services\ReportManager\Pages\*.*, <install> \Reporting Services\ReportManager\Styles\*.*, <install> \Reporting Services\ReportManager\webctrl_client\1_0\*.* 读取Read
报表管理器应用程序池标识Report Manager Application pool identity <install> \Reporting Services\ReportManager\Pages\。*<install>* \Reporting Services\ReportManager\Pages\*.* 读取Read
<报表服务器 Web 服务帐户><Report Server Web Service Account> install>< \Reporting Services\ReportServer<install> \Reporting Services\ReportServer 读取Read
<报表服务器 Web 服务帐户><Report Server Web Service Account> install>< \Reporting Services\ReportServer\global.asax<install> \Reporting Services\ReportServer\global.asax FullFull
EveryoneEveryone install>< \Reporting Services\ReportServer\global.asax<install> \Reporting Services\ReportServer\global.asax READ_CONTROLREAD_CONTROL

FILE_READ_DATAFILE_READ_DATA

FILE_READ_EAFILE_READ_EA

FILE_READ_ATTRIBUTESFILE_READ_ATTRIBUTES
Network ServiceNetwork service install>< \Reporting Services\ReportServer\ReportService.asmx<install> \Reporting Services\ReportServer\ReportService.asmx FullFull
EveryoneEveryone install>< \Reporting Services\ReportServer\ReportService.asmx<install> \Reporting Services\ReportServer\ReportService.asmx READ_CONTROLREAD_CONTROL

SYNCHRONIZE FILE_GENERIC_READSYNCHRONIZE FILE_GENERIC_READ

FILE_GENERIC_EXECUTEFILE_GENERIC_EXECUTE

FILE_READ_DATAFILE_READ_DATA

FILE_READ_EAFILE_READ_EA

FILE_EXECUTEFILE_EXECUTE

FILE_READ_ATTRIBUTESFILE_READ_ATTRIBUTES
ReportServer Windows 服务帐户ReportServer Windows Services Account install>< \Reporting Services\ReportServer\RSReportServer.config<install> \Reporting Services\ReportServer\RSReportServer.config DELETEDELETE

READ_CONTROLREAD_CONTROL

SYNCHRONIZESYNCHRONIZE

FILE_GENERIC_READFILE_GENERIC_READ

FILE_GENERIC_WRITEFILE_GENERIC_WRITE

FILE_READ_DATAFILE_READ_DATA

FILE_WRITE_DATAFILE_WRITE_DATA

FILE_APPEND_DATAFILE_APPEND_DATA

FILE_READ_EAFILE_READ_EA

FILE_WRITE_EAFILE_WRITE_EA

FILE_READ_ATTRIBUTESFILE_READ_ATTRIBUTES

FILE_WRITE_ATTRIBUTESFILE_WRITE_ATTRIBUTES
EveryoneEveryone 报表服务器密钥(Instid 配置单元)Report Server keys (Instid hive) 查询值Query Value

枚举子项Enumerate SubKeys

通知Notify

读取控制Read Control
终端服务用户Terminal Services User 报表服务器密钥(Instid 配置单元)Report Server keys (Instid hive) 查询值Query Value

设置值Set Value

创建子项Create SubKey

枚举子项Enumerate SubKey

通知Notify

删除Delete

读取控制Read Control
超级用户Power Users 报表服务器密钥(Instid 配置单元)Report Server keys (Instid hive) 查询值Query Value

设置值Set Value

创建子项Create Subkey

枚举子项Enumerate Subkeys

通知Notify

删除Delete

读取控制Read Control

1这是 WMI 提供程序命名空间。1This is the WMI provider namespace.

与非寻常磁盘位置相关的文件系统权限File System Permissions Related to Unusual Disk Locations

当安装 tempdb 或用户数据库时,默认的安装位置驱动器为 systemdrive,通常是驱动器 C。The default drive for locations for installation is systemdrive, normally drive C. When tempdb or user databases are installed

非默认的驱动器Non-default Drive

当安装到不是默认驱动器的本地驱动器时,Per-service SID 必须对文件位置具有访问权限。When installed to a local drive that is not the default drive, the per-service SID must have access to the file location. SQL ServerSQL Server 安装程序将预配所需的访问权限。Setup will provision the required access.

网络共享Network Share

当数据库安装到网络共享时,服务帐户必须对用户数据库和 tempdb 数据库的文件位置具有访问权限。When databases are installed to a network share, the service account must have access to the file location of the user and tempdb databases. SQL ServerSQL Server 安装程序无法设置对于网络共享的访问权限。Setup cannot provision access to a network share. 用户必须为服务帐户设置对 tempdb 位置的访问权限,然后才能运行安装程序。The user must provision access to a tempdb location for the service account before running setup. 用户必须设置对用户数据库位置的访问权限,然后才能创建数据库。The user must provision access to the user database location before creating the database.

备注

虚拟帐户无法通过身份验证,因而无法访问远程位置。Virtual accounts cannot be authenticated to a remote location. 所有虚拟帐户均使用计算机帐户的权限。All virtual accounts use the permission of machine account. <domain_name> \ <computer_name> $ 格式设置计算机帐户。Provision the machine account in the format <domain_name>\<computer_name>$.

查看其他注意事项Reviewing Additional Considerations

下表显示了 SQL ServerSQL Server 服务提供其他功能时所需的权限:The following table shows the permissions that are required for SQL ServerSQL Server services to provide additional functionality.

服务/应用程序Service/Application 功能Functionality 必需的权限Required permission
SQL ServerSQL Server (MSSQLSERVER)(MSSQLSERVER) 使用 xp_sendmail 写入邮件槽。Write to a mail slot using xp_sendmail. 网络写入权限。Network write permissions.
SQL ServerSQL Server (MSSQLSERVER)(MSSQLSERVER) 运行用户的而不是 SQL ServerSQL Server 管理员的 xp_cmdshell。Run xp_cmdshell for a user other than a SQL ServerSQL Server administrator. 充当操作系统的一部分以及替换进程级别标记。Act as part of operating system and replace a process-level token.
SQL ServerSQL Server 代理 (MSSQLSERVER)Agent (MSSQLSERVER) 使用自动重新启动功能。Use the autorestart feature. 必须是本地 Administrators 组的成员。Must be a member of the Administrators local group.
数据库引擎Database Engine 优化顾问Tuning Advisor 优化数据库以获得最佳查询性能。Tunes databases for optimal query performance. 第一次使用时,拥有系统管理员权限的用户必须初始化该应用程序。On first use, a user who has system administrative credentials must initialize the application. 初始化后,dbo 用户可使用 数据库引擎Database Engine 优化顾问仅优化他们拥有的那些表。After initialization, dbo users can use the 数据库引擎Database Engine Tuning Advisor to tune only those tables that they own. 有关详细信息,请参阅 数据库引擎Database Engine 联机丛书中的“在第一次使用时初始化 SQL ServerSQL Server 优化顾问”。For more information, see "Initializing 数据库引擎Database Engine Tuning Advisor on First Use" in SQL ServerSQL Server Books Online.

重要

升级到 SQL ServerSQL Server之前,请先为 SQL ServerSQL Server 代理启用 Windows 身份验证,并验证所需的默认配置: SQL ServerSQL Server 代理服务帐户是否为 SQL ServerSQL Serversysadmin 组的成员。Before you upgrade SQL ServerSQL Server, enable Windows Authentication for SQL ServerSQL Server Agent and verify the required default configuration: that the SQL ServerSQL Server Agent service account is a member of the SQL ServerSQL Serversysadmin group.

注册表权限Registry Permissions

将在 HKLM\Software\Microsoft\Microsoft SQL Server\ <Instance_ID> 下为识别实例的组件创建注册表配置单元。The registry hive is created under HKLM\Software\Microsoft\Microsoft SQL Server\<Instance_ID> for instance-aware components. 例如:For example

  • HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL12。MyInstanceHKLM\Software\Microsoft\Microsoft SQL Server\MSSQL12.MyInstance

  • HKLM\Software\Microsoft\Microsoft SQL Server\MSASSQL12。MyInstanceHKLM\Software\Microsoft\Microsoft SQL Server\MSASSQL12.MyInstance

  • HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL.120HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL.120

注册表还维护实例 ID 到实例名的映射。The registry also maintains a mapping of instance ID to instance name. 实例 ID 到实例名的映射按如下方式维护:Instance ID to instance name mapping is maintained as follows:

  • [HKEY_LOCAL_MACHINE \Software\Microsoft\Microsoft SQL 服务器 \ 实例 Names\SQL]"InstanceName" = "MSSQL12.MSSQLSERVER"[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Names\SQL] "InstanceName"="MSSQL12"

  • [HKEY_LOCAL_MACHINE \Software\Microsoft\Microsoft SQL 服务器 \ 实例 Names\OLAP]"InstanceName" = "MSASSQL12"[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Names\OLAP] "InstanceName"="MSASSQL12"

  • [HKEY_LOCAL_MACHINE \Software\Microsoft\Microsoft SQL 服务器 \ 实例 Names\RS]"InstanceName" = "MSRSSQL12"[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Names\RS] "InstanceName"="MSRSSQL12"

WMIWMI

Windows Management Instrumentation (WMI) 必须能够连接到 数据库引擎Database EngineWindows Management Instrumentation (WMI) must be able to connect to the 数据库引擎Database Engine. 为了支持这一点,需在中预配 Windows WMI 提供程序 ( NT SERVICE\winmgmt 数据库引擎Database Engine) 的 per-service SID。To support this, the per-service SID of the Windows WMI provider (NT SERVICE\winmgmt) is provisioned in the 数据库引擎Database Engine.

SQL WMI 提供程序需要以下权限:The SQL WMI provider requires the following permissions:

  • msdb 数据库的 db_ddladmindb_owner 固定服务器角色中的成员资格。Membership in the db_ddladmin or db_owner fixed database roles in the msdb database.

  • 服务器中的CREATE DDL EVENT NOTIFICATION 权限。CREATE DDL EVENT NOTIFICATION permission in the server.

  • 中的 CREATE TRACE EVENT NOTIFICATION 数据库引擎Database Engine权限。CREATE TRACE EVENT NOTIFICATION permission in the 数据库引擎Database Engine.

  • VIEW ANY DATABASE 服务器级别权限。VIEW ANY DATABASE server-level permission.

    SQL ServerSQL Server 安装程序会创建一个 SQL WMI 命名空间,并向 SQL ServerSQL Server 代理服务 SID 授予读取权限。setup creates a SQL WMI namespace and grants read permission to the SQL ServerSQL Server Agent service-SID.

命名管道Named Pipes

在所有安装中, SQL ServerSQL Server 安装程序都通过共享内存协议(这是一种本地命名管道)提供针对 SQL Server 数据库引擎SQL Server Database Engine 的访问权限。In all installation, SQL ServerSQL Server Setup provides access to the SQL Server 数据库引擎SQL Server Database Engine through the shared memory protocol, which is a local named pipe.

预配Provisioning

此部分介绍如何在各种 SQL ServerSQL Server 组件内设置帐户。This section describes how accounts are provisioned inside the various SQL ServerSQL Server components.

数据库引擎预配Database Engine Provisioning

以下帐户将作为登录名添加到 SQL Server 数据库引擎SQL Server Database Engine中。The following accounts are added as logins in the SQL Server 数据库引擎SQL Server Database Engine.

Windows 主体Windows Principals

在安装过程中, SQL ServerSQL Server 安装程序要求至少将一个用户帐户命名为 sysadmin 固定服务器角色的成员。During setup, SQL ServerSQL Server Setup requires at least one user account to be named as a member of the sysadmin fixed server role.

sa 帐户sa Account

sa 帐户始终作为 数据库引擎Database Engine 登录名存在,它是 sysadmin 固定服务器角色的成员。The sa account is always present as a 数据库引擎Database Engine login and is a member of the sysadmin fixed server role. 当仅使用 Windows 身份验证安装 数据库引擎Database Engine 时(也即,当未启用 SQL ServerSQL Server 身份验证时), sa 登录名仍然存在,但处于禁用状态。When the 数据库引擎Database Engine is installed using only Windows Authentication (that is when SQL ServerSQL Server Authentication is not enabled), the sa login is still present but is disabled. 有关启用 sa 帐户的信息,请参阅 更改服务器身份验证模式For information about enabling the sa account, see Change Server Authentication Mode.

SQL Server Per-service SID 登录名和特权SQL Server Per-service SID Login and Privileges

SQL ServerSQL Server 服务的 Per-service SID 设置为一个 数据库引擎Database Engine 登录名。The per-service SID of the SQL ServerSQL Server service is provisioned as a 数据库引擎Database Engine login. Per-service SID 登录名是 sysadmin 固定服务器角色的成员。The per-service SID login is a member of the sysadmin fixed server role.

SQL Server 代理登录名和特权SQL Server Agent Login and Privileges

SQL ServerSQL Server 代理服务的 Per-service SID 设置为一个 数据库引擎Database Engine 登录名。The per-service SID of the SQL ServerSQL Server Agent service is provisioned as a 数据库引擎Database Engine login. Per-service SID 登录名是 sysadmin 固定服务器角色的成员。The per-service SID login is a member of the sysadmin fixed server role.

AlwaysOn 可用性组Always On Availability Groups 和 SQL 故障转移群集实例和特权AlwaysOn 可用性组Always On Availability Groups and SQL Failover Cluster Instance and Privileges

当将 数据库引擎Database Engine 安装为 AlwaysOn 可用性组Always On Availability Groups 或 SQL 故障转移群集实例 (SQL FCI) 时,将在 中设置 LOCAL SYSTEM 数据库引擎Database EngineWhen installing the 数据库引擎Database Engine as a AlwaysOn 可用性组Always On Availability Groups or SQL Failover Cluster Instance (SQL FCI), LOCAL SYSTEM is provisioned in the 数据库引擎Database Engine. LOCAL SYSTEM 登录名被授予 ALTER ANY AVAILABILITY GROUP 权限(对于 AlwaysOn 可用性组Always On Availability Groups)以及 VIEW SERVER STATE 权限(对于 SQL FCI)。The LOCAL SYSTEM login is granted the ALTER ANY AVAILABILITY GROUP permission (for AlwaysOn 可用性组Always On Availability Groups) and the VIEW SERVER STATE permission (for SQL FCI).

SQL 编写器和特权SQL Writer and Privileges

SQL ServerSQL Server VSS 编写器服务的 Per-service SID 设置为一个 数据库引擎Database Engine 登录名。The per-service SID of the SQL ServerSQL Server VSS Writer service is provisioned as a 数据库引擎Database Engine login. Per-service SID 登录名是 sysadmin 固定服务器角色的成员。The per-service SID login is a member of the sysadmin fixed server role.

SQL WMI 和特权SQL WMI and Privileges

SQL ServerSQL Server 安装程序将 NT SERVICE\Winmgmt 帐户设置为 数据库引擎Database Engine 登录名,并将其添加到 sysadmin 固定服务器角色中。Setup provisions the NT SERVICE\Winmgmt account as a 数据库引擎Database Engine login and adds it to the sysadmin fixed server role.

SSRS 设置SSRS Provisioning

在安装过程中指定的帐户将设置为 RSExecRole 数据库角色的成员。The account specified during setup is provisioned as a member of the RSExecRole database role. 有关详细信息,请参阅配置报表服务器服务帐户(SSRS 配置管理器)For more information, see Configure the Report Server Service Account (SSRS Configuration Manager).

SSAS 预配SSAS Provisioning

SSASSSAS 服务帐户要求各不相同,具体取决于服务器的部署方式。service account requirements vary depending on how you deploy the server. 如果您正在安装 PowerPivot for SharePointPowerPivot for SharePointSQL ServerSQL Server 安装程序会要求您将 Analysis ServicesAnalysis Services 服务配置在域帐户下运行。If you are installing PowerPivot for SharePointPowerPivot for SharePoint, SQL ServerSQL Server Setup requires that you configure the Analysis ServicesAnalysis Services service to run under a domain account. 为了支持 SharePoint 中内置的托管帐户功能,需要域帐户。Domain accounts are required to support the managed account facility that is built into SharePoint. 为此, SQL ServerSQL Server 安装程序没有为 PowerPivot for SharePointPowerPivot for SharePoint 安装提供默认服务帐户,如虚拟帐户。For this reason, SQL ServerSQL Server Setup does not provide a default service account, such as a virtual account, for a PowerPivot for SharePointPowerPivot for SharePoint installation. 有关设置 PowerPivot for SharePoint 的详细信息,请参阅配置 PowerPivot 服务帐户For more information about provisioning PowerPivot for SharePoint, see Configure PowerPivot Service Accounts.

对于所有其他独立 SSASSSAS 安装,您可以将服务设置为在域帐户、内置系统帐户、托管帐户或虚拟帐户下运行。For all other standalone SSASSSAS installations, you can provision the service to run under a domain account, built-in system account, managed account, or virtual account. 有关帐户设置的详细信息,请参阅配置服务帐户 (Analysis Services)For more information about account provisioning, see Configure Service Accounts (Analysis Services).

对于群集安装,您必须指定一个域帐户或一个内置系统帐户。For clustered installations, you must specify a domain account or a built-in system account. SSASSSAS 故障转移群集既不支持托管帐户,也不支持虚拟帐户。Neither managed accounts nor virtual accounts are supported for SSASSSAS failover clusters.

所有 SSASSSAS 安装均要求您指定 Analysis ServicesAnalysis Services 实例的系统管理员。All SSASSSAS installations require that you specify a system administrator of the Analysis ServicesAnalysis Services instance. 管理员特权在 Analysis Services 的 “服务器” 角色中设置。Administrator privileges are provisioned in the Analysis Services Server role.

SSRS 预配SSRS Provisioning

在安装过程中指定的帐户将在 数据库引擎Database Engine 中设置为 RSExecRole 数据库角色的成员。The account specified during setup is provisioned in the 数据库引擎Database Engine as a member of the RSExecRole database role. 有关详细信息,请参阅配置报表服务器服务帐户(SSRS 配置管理器)For more information, see Configure the Report Server Service Account (SSRS Configuration Manager).

从早期版本升级Upgrading From Previous Versions

此部分介绍在从先前版本的 SQL ServerSQL Server升级的过程中进行的更改。This section describes the changes made during upgrade from a previous version of SQL ServerSQL Server.

  • SQL Server 2014SQL Server 2014 要求 Windows Server 2008(可能为英文页面)Windows Server 2008 R2 SP1、Windows Server 2012、Windows 8.0、Windows Server 2012 R2 或 Windows 8.1。requires Windows Server 2008(可能为英文页面)Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.0, Windows Server 2012 R2, or Windows 8.1, . 任何在更低操作系统版本上运行的 SQL ServerSQL Server 先前版本在升级 SQL ServerSQL Server之前,都必须升级操作系统。Any previous version of SQL ServerSQL Server running on a lower operating system version must have the operating system upgraded before upgrading SQL ServerSQL Server.

  • 在将 SQL Server 2005SQL Server 2005 升级到 SQL Server 2014SQL Server 2014的过程中, SQL ServerSQL Server 安装程序将按以下方式配置 SQL ServerSQL ServerDuring upgrade of SQL Server 2005SQL Server 2005 to SQL Server 2014SQL Server 2014, SQL ServerSQL Server Setup will configure SQL ServerSQL Server in the following way.

    • 数据库引擎Database Engine 使用 Per-service SID 的安全上下文运行。The 数据库引擎Database Engine runs with the security context of the per-service SID. 将向 Per-service SID 授予针对 SQL ServerSQL Server 实例的文件夹(如 DATA)和 SQL ServerSQL Server 注册表项的访问权限。The per-service SID is granted access to the file folders of the SQL ServerSQL Server instance (such as DATA), and the SQL ServerSQL Server registry keys.

    • 数据库引擎Database Engine 的 Per-service SID 在 数据库引擎Database Engine 中设置为 sysadmin 固定服务器角色的成员。The per-service SID of the 数据库引擎Database Engine is provisioned in the 数据库引擎Database Engine as a member of the sysadmin fixed server role.

    • Per-service SID 将添加到本地 SQL ServerSQL Server Windows 组中,除非 SQL ServerSQL Server 是故障转移群集实例。The per-service SID's are added to the local SQL ServerSQL Server Windows groups, unless SQL ServerSQL Server is a Failover Cluster Instance.

    • SQL ServerSQL Server 资源保持设置为本地 SQL ServerSQL Server Windows 组。The SQL ServerSQL Server resources remain provisioned to the local SQL ServerSQL Server Windows groups.

    • 服务的本地 Windows 组已从 SQLServer2005MSSQLUser$ <computer_name> $ <instance_name> 重命名为 SQLServerMSSQLUser$ <computer_name> $ <instance_name>The local Windows group for services is renamed from SQLServer2005MSSQLUser$<computer_name>$<instance_name> to SQLServerMSSQLUser$<computer_name>$<instance_name>. 已迁移的数据库的文件位置将具有本地 Windows 组的访问控制项 (ACE)。File locations for migrated databases will have Access Control Entries (ACE) for the local Windows groups. 新数据库的文件位置将具有 Per-service SID 的 ACE。The file locations for new databases will have ACE's for the per-service SID.

  • SQL Server 2008SQL Server 2008 进行升级的过程中,SQL ServerSQL Server 安装程序将保留 SQL Server 2008SQL Server 2008 Per-service SID 的 ACE。During upgrade from SQL Server 2008SQL Server 2008, SQL ServerSQL Server Setup will be preserve the ACE's for the SQL Server 2008SQL Server 2008 per-service SID.

  • 对于 SQL ServerSQL Server 故障转移群集实例,将保留为服务配置的域帐户的 ACE。For a SQL ServerSQL Server Failover Cluster Instance, the ACE for the domain account configured for the service will be retained.

附录Appendix

本节包含有关 SQL ServerSQL Server 的其他信息。This section contains additional information about SQL ServerSQL Server services.

服务帐户的描述Description of Service Accounts

服务帐户是用来启动 Windows 服务的帐户,如 SQL Server 数据库引擎SQL Server Database EngineThe service account is the account used to start a Windows service, such as the SQL Server 数据库引擎SQL Server Database Engine.

可用于任何操作系统的帐户Accounts Available With Any Operating System

除了前面介绍的新的 MSA虚拟帐户 之外,还可以使用以下帐户。In addition to the new MSA and virtual accounts described earlier, the following accounts can be used.

Domain User 帐户Domain User Account

如果服务必须与网络服务进行交互,则访问类似于文件共享的域资源;如果服务使用到运行 SQL ServerSQL Server的其他计算机的链接服务器连接,则可以使用具有最低特权的域帐户。If the service must interact with network services, access domain resources like file shares or if it uses linked server connections to other computers running SQL ServerSQL Server, you might use a minimally-privileged domain account. 许多服务器到服务器的活动只能使用域用户帐户来执行。Many server-to-server activities can be performed only with a domain user account. 此帐户应由域管理员在您的环境内预先创建。This account should be pre-created by domain administration in your environment.

备注

如果您将应用程序配置为使用域帐户,则可以隔离应用程序的特权,但必须手动管理密码或创建自定义解决方案以管理这些密码。If you configure the application to use a domain account, you can isolate the privileges for the application, but must manually manage passwords or create a custom solution for managing these passwords. 许多服务器应用程序使用此策略以增强安全性,但此策略要求额外的管理和复杂性。Many server applications use this strategy to enhance security, but this strategy requires additional administration and complexity. 在这些部署中,服务管理员将在维护任务方面花费大量时间,如管理服务密码和服务主体名称 (SPN),但这些维护服务是 Kerberos 身份验证所必需的。In these deployments, service administrators spend a considerable amount of time on maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. 此外,这些维护任务可能会中断服务。In addition, these maintenance tasks can disrupt service.

Local User AccountsLocal User Accounts

如果计算机不在域中,则建议您使用不具有 Windows 管理员权限的本地用户帐户。If the computer is not part of a domain, a local user account without Windows administrator permissions is recommended.

Local Service 帐户Local Service Account

Local Service 帐户是一个内置帐户,与 Users 组的成员具有相同级别的资源和对象访问权限。The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. 如果有个别服务或进程的安全性受到威胁,则此有限访问权限有助于保护系统的安全性。This limited access helps safeguard the system if individual services or processes are compromised. 以 Local Service 帐户身份运行的服务将以一个没有凭据的 Null 会话形式访问网络资源。Services that run as the Local Service account access network resources as a null session without credentials. 请注意, SQL ServerSQL ServerSQL ServerSQL Server 代理服务不支持 Local Service 帐户。Be aware that the Local Service account is not supported for the SQL ServerSQL Server or SQL ServerSQL Server Agent services. 不支持将 Local Service 作为运行这些服务的帐户,因为该服务是一个共享服务,并且任何在 Local Service 下运行的其他服务都对 SQL ServerSQL Server具有系统管理员访问权限。Local Service is not supported as the account running those services because it is a shared service and any other services running under local service would have system administrator access to SQL ServerSQL Server. 该帐户的实际名称为 NT AUTHORITY\LOCAL SERVICEThe actual name of the account is NT AUTHORITY\LOCAL SERVICE.

Network Service 帐户Network Service Account

Network Service 帐户是一个内置帐户,比 Users 组的成员拥有更多的对资源和对象的访问权限。The Network Service account is a built-in account that has more access to resources and objects than members of the Users group. 以网络服务帐户身份运行的服务通过使用计算机帐户的凭据(格式为 <domain_name> \ <computer_name> $ )访问网络资源。Services that run as the Network Service account access network resources by using the credentials of the computer account in the format <domain_name>\<computer_name>$. 该帐户的实际名称为 NT AUTHORITY\NETWORK SERVICEThe actual name of the account is NT AUTHORITY\NETWORK SERVICE.

Local System 帐户Local System Account

Local System 是一个具有高特权的内置帐户。Local System is a very high-privileged built-in account. 它对本地系统拥有许多特权并作为网络上的计算机。It has extensive privileges on the local system and acts as the computer on the network. 该帐户的实际名称为 NT AUTHORITY\SYSTEMThe actual name of the account is NT AUTHORITY\SYSTEM.

辨别识别实例的服务和不识别实例的服务Identifying Instance-Aware and Instance-Unaware Services

识别实例的服务与特定 SQL ServerSQL Server实例相关联,并具有自己的注册表配置单元。Instance-aware services are associated with a specific instance of SQL ServerSQL Server, and have their own registry hives. 通过为每个组件或服务运行 SQL ServerSQL Server 安装程序,可以安装识别实例的服务的多个副本。You can install multiple copies of instance-aware services by running SQL ServerSQL Server Setup for each component or service. 不识别实例的服务由所有已安装的 SQL ServerSQL Server 实例共享。Instance-unaware services are shared among all installed SQL ServerSQL Server instances. 它们不与特定实例相关联,仅安装一次且不能并行安装。They are not associated with a specific instance, are installed only once, and cannot be installed side-by-side.

SQL ServerSQL Server 中识别实例的服务包括:Instance-aware services in SQL ServerSQL Server include the following:

  • SQL ServerSQL Server

  • SQL ServerSQL Server 代理Agent

    请注意,在 SQL ServerSQL Server 实例和 SQL Server ExpressSQL Server Express with Advanced Services 实例上 SQL Server ExpressSQL Server Express 代理服务已禁用。Be aware that the SQL ServerSQL Server Agent service is disabled on instances of SQL Server ExpressSQL Server Express and SQL Server ExpressSQL Server Express with Advanced Services.

  • Analysis ServicesAnalysis Services 11

  • Reporting ServicesReporting Services

  • 全文搜索Full-text search

SQL ServerSQL Server 中不识别实例的服务包括:Instance-unaware services in SQL ServerSQL Server include the following:

  • Integration ServicesIntegration Services

  • SQL ServerSQL Server BrowserBrowser

  • SQL 编写器SQL Writer

1SharePoint 集成模式下的 Analysis Services 作为单个命名实例以 "PowerPivot" 运行。1Analysis Services in SharePoint integrated mode runs as 'PowerPivot' as a single, named instance. 实例名称是固定不变的。The instance name is fixed. 您不能指定其他名称。You cannot specify a different name. 您可以在每台物理服务器上安装作为 PowerPivot 运行的一个 Analysis Services 实例。You can install only one instance of Analysis Services running as 'PowerPivot' on each physical server.

本地化的服务名称Localized Service Names

下表列出了 Windows 的本地化版本所显示的服务名称。The following table shows service names that are displayed by localized versions of Windows.

语言Language Local Service 的名称Name for Local Service Network Service 的名称Name for Network Service Local System 的名称Name for Local System Admin Group 的名称Name for Admin Group
英语English

简体中文Simplified Chinese

繁体中文Traditional Chinese

朝鲜语Korean

日语Japanese
NT AUTHORITY\LOCAL SERVICENT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICENT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM BUILTIN\AdministratorsBUILTIN\Administrators
德语German NT-AUTORITÄT\LOKALER DIENSTNT-AUTORITÄT\LOKALER DIENST NT-AUTORITÄT\NETZWERKDIENSTNT-AUTORITÄT\NETZWERKDIENST NT-AUTORITÄT\SYSTEMNT-AUTORITÄT\SYSTEM VORDEFINIERT\AdministratorenVORDEFINIERT\Administratoren
法语French AUTORITE NT\SERVICE LOCALAUTORITE NT\SERVICE LOCAL AUTORITE NT\SERVICE RÉAUAUTORITE NT\SERVICE RÉSEAU AUTORITE NT\SYSTEMAUTORITE NT\SYSTEM BUILTIN\AdministratorsBUILTIN\Administrators
意大利语Italian NT AUTHORITY\SERVIZIO LOCALENT AUTHORITY\SERVIZIO LOCALE NT AUTHORITY\SERVIZIO DI RETENT AUTHORITY\SERVIZIO DI RETE NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM BUILTIN\AdministratorsBUILTIN\Administrators
西班牙语Spanish NT AUTHORITY\SERVICIO LOCNT AUTHORITY\SERVICIO LOC NT AUTHORITY\SERVICIO DE REDNT AUTHORITY\SERVICIO DE RED NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM BUILTIN\AdministradoresBUILTIN\Administradores
俄语Russian NT AUTHORITY\LOCAL SERVICENT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICENT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM BUILTIN\АдминистраторыBUILTIN\Администраторы

安装 SQL Server 的安全注意事项Security Considerations for a SQL Server Installation

SQL Server 的默认实例和命名实例的文件位置File Locations for Default and Named Instances of SQL Server

安装 Master Data ServicesInstall Master Data Services