設定 Windows 服務帳戶與權限Configure Windows Service Accounts and Permissions

[SQL Server]SQL Server 中的每項服務代表一個或一組處理序,用以管理 [SQL Server]SQL Server 作業對 Windows 的驗證。Each service in [SQL Server]SQL Server represents a process or a set of processes to manage authentication of [SQL Server]SQL Server operations with Windows. 本主題描述此 [SQL Server]SQL Server版本的預設服務組態,以及可以在 [SQL Server]SQL Server 安裝期間和安裝完成後設定的 [SQL Server]SQL Server 服務組態選項。This topic describes the default configuration of services in this release of [SQL Server]SQL Server, and configuration options for [SQL Server]SQL Server services that you can set during and after [SQL Server]SQL Server installation.

內容Contents

本主題分成以下各節:This topic is divided into the following sections:

[SQL Server]SQL Server 安裝的服務Services Installed by [SQL Server]SQL Server

依據您決定安裝的元件而定, [SQL Server]SQL Server 安裝程式會安裝下列服務:Depending on the components that you decide to install, [SQL Server]SQL Server Setup installs the following services:

  • [SQL Server]SQL Server Database Services - [SQL Server]SQL Server 關聯式 Database EngineDatabase Engine的服務。[SQL Server]SQL Server Database Services - The service for the [SQL Server]SQL Server relational Database EngineDatabase Engine. 可執行檔為 <MSSQLPATH>\MSSQL\Binn\sqlservr.exe。The executable file is <MSSQLPATH>\MSSQL\Binn\sqlservr.exe.

  • [SQL Server]SQL Server Agent - 執行作業、監視 [SQL Server]SQL Server、引發警示,以及將某些管理工作自動化。[SQL Server]SQL Server Agent - Executes jobs, monitors [SQL Server]SQL Server, fires alerts, and enables automation of some administrative tasks. [SQL Server]SQL Server Agent 服務存在,但是在 SQL Server ExpressSQL Server Express執行個體上停用。The [SQL Server]SQL Server Agent service is present but disabled on instances of SQL Server ExpressSQL Server Express. 可執行檔為 <MSSQLPATH>\MSSQL\Binn\sqlagent.exe。The executable file is <MSSQLPATH>\MSSQL\Binn\sqlagent.exe.

  • Analysis ServicesAnalysis Services - 提供商業智慧應用程式的線上分析處理 (OLAP) 和資料採礦功能。Analysis ServicesAnalysis Services - Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications. 可執行檔為 <MSSQLPATH>\OLAP\Bin\msmdsrv.exe。The executable file is <MSSQLPATH>\OLAP\Bin\msmdsrv.exe.

  • Reporting ServicesReporting Services - 管理、執行、建立、排程和傳遞報表。Reporting ServicesReporting Services - Manages, executes, creates, schedules, and delivers reports. 可執行檔為 <MS SQL 路徑>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe。The executable file is <MSSQLPATH>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe.

  • Integration ServicesIntegration Services - 提供 Integration ServicesIntegration Services 封裝儲存體和執行的管理支援。Integration ServicesIntegration Services - Provides management support for Integration ServicesIntegration Services package storage and execution. 可執行檔的路徑是<MSSQLPATH > \120\DTS\Binn\MsDtsSrvr.exeThe executable path is <MSSQLPATH>\120\DTS\Binn\MsDtsSrvr.exe

  • [SQL Server]SQL Server Browser - 提供 [SQL Server]SQL Server 連接資訊給用戶端電腦的名稱解析服務。[SQL Server]SQL Server Browser - The name resolution service that provides [SQL Server]SQL Server connection information for client computers. 可執行檔路徑為 c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exeThe executable path is c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe

  • 全文檢索搜尋 - 可以快速地在結構化和半結構化資料的內容與屬性上建立全文檢索索引,以針對 [SQL Server]SQL Server提供文件篩選和斷詞。Full-text search - Quickly creates full-text indexes on content and properties of structured and semistructured data to provide document filtering and word-breaking for [SQL Server]SQL Server.

  • SQL 寫入器 - 允許備份與還原應用程式在磁碟區陰影複製服務 (VSS) 架構中操作。SQL Writer - Allows backup and restore applications to operate in the Volume Shadow Copy Service (VSS) framework.

  • [SQL Server]SQL Server Distributed Replay Controller - 跨多部 Distributed Replay Client 電腦提供重新執行追蹤 Orchestration。[SQL Server]SQL Server Distributed Replay Controller - Provides trace replay orchestration across multiple Distributed Replay client computers.

  • [SQL Server]SQL Server Distributed Replay Client - 一或多部搭配 Distributed Replay controller 運作的分散式重新執行用戶端電腦,以針對 SQL Server Database EngineSQL Server Database Engine執行個體模擬並行工作負載。[SQL Server]SQL Server Distributed Replay Client - One or more Distributed Replay client computers that work together with a Distributed Replay controller to simulate concurrent workloads against an instance of the SQL Server Database EngineSQL Server Database Engine.

服務屬性和組態Service Properties and Configuration

用來啟動並執行 [SQL Server]SQL Server 的啟動帳戶可以是 網域使用者帳戶本機使用者帳戶受管理的服務帳戶虛擬帳戶內建的系統帳戶Startup accounts used to start and run [SQL Server]SQL Server can be domain user accounts, local user accounts, managed service accounts, virtual accounts, or built-in system accounts. 若要啟動並執行, [SQL Server]SQL Server 中的每個服務都必須在安裝期間設定啟動帳戶。To start and run, each service in [SQL Server]SQL Server must have a startup account configured during installation.

本節描述可設定用來啟動 [SQL Server]SQL Server 服務的帳戶、 [SQL Server]SQL Server 安裝程式使用的預設值、每個服務 SID 的概念、啟動選項,以及設定防火牆。This section describes the accounts that can be configured to start [SQL Server]SQL Server services, the default values used by [SQL Server]SQL Server Setup, the concept of per-service SID’s, the startup options, and configuring the firewall.

預設服務帳戶Default Service Accounts

下表列出安裝所有元件時,安裝程式所使用的預設服務帳戶。The following table lists the default service accounts used by setup when installing all components. 列出的預設帳戶就是建議的帳戶 (除非另有附註)。The default accounts listed are the recommended accounts, except as noted.

獨立伺服器或網域控制站Stand-alone Server or Domain Controller

元件Component Windows Server 2008Windows Server 2008 Windows 7 及 Windows Server 2008Windows Server 2008 R2 和更新版本Windows 7 and Windows Server 2008Windows Server 2008 R2 and higher
Database EngineDatabase Engine NETWORK SERVICENETWORK SERVICE 虛擬帳戶 *Virtual Account *
[SQL Server]SQL Server Agent Agent NETWORK SERVICENETWORK SERVICE 虛擬帳戶 *Virtual Account *
SSASSSAS NETWORK SERVICENETWORK SERVICE 虛擬帳戶 *Virtual Account *
SSISSSIS NETWORK SERVICENETWORK SERVICE 虛擬帳戶 *Virtual Account *
SSRSSSRS NETWORK SERVICENETWORK SERVICE 虛擬帳戶 *Virtual Account *
[SQL Server]SQL Server Distributed Replay Controller Distributed Replay Controller NETWORK SERVICENETWORK SERVICE 虛擬帳戶 *Virtual Account *
[SQL Server]SQL Server Distributed Replay Client Distributed Replay Client NETWORK SERVICENETWORK SERVICE 虛擬帳戶 *Virtual Account *
FD 啟動器 (全文檢索搜尋)FD Launcher (Full-text Search) LOCAL SERVICELOCAL SERVICE 虛擬帳戶Virtual Account
[SQL Server]SQL Server Browser Browser LOCAL SERVICELOCAL SERVICE LOCAL SERVICELOCAL SERVICE
[SQL Server]SQL Server VSS Writer VSS Writer LOCAL SYSTEMLOCAL SYSTEM LOCAL SYSTEMLOCAL SYSTEM

* 當外部的資源[SQL Server]SQL Server電腦,則需要MicrosoftMicrosoft建議使用受控服務帳戶 (MSA),設定所需的最低權限。* When resources external to the [SQL Server]SQL Server computer are needed, MicrosoftMicrosoft recommends using a Managed Service Account (MSA), configured with the minimum privileges necessary.

SQL Server 容錯移轉叢集執行個體SQL Server Failover Cluster Instance

元件Component Windows Server 2008Windows Server 2008 Windows Server 2008Windows Server 2008 R2 R2
Database EngineDatabase Engine 無。None. 提供 網域使用者 帳戶。Provide a domain user account. 提供 網域使用者 帳戶。Provide a domain user account.
[SQL Server]SQL Server Agent Agent 無。None. 提供 網域使用者 帳戶。Provide a domain user account. 提供 網域使用者 帳戶。Provide a domain user account.
SSASSSAS 無。None. 提供 網域使用者 帳戶。Provide a domain user account. 提供 網域使用者 帳戶。Provide a domain user account.
SSISSSIS NETWORK SERVICENETWORK SERVICE 虛擬帳戶Virtual Account
SSRSSSRS NETWORK SERVICENETWORK SERVICE 虛擬帳戶Virtual Account
FD 啟動器 (全文檢索搜尋)FD Launcher (Full-text Search) LOCAL SERVICELOCAL SERVICE 虛擬帳戶Virtual Account
[SQL Server]SQL Server Browser Browser LOCAL SERVICELOCAL SERVICE LOCAL SERVICELOCAL SERVICE
[SQL Server]SQL Server VSS Writer VSS Writer LOCAL SYSTEMLOCAL SYSTEM LOCAL SYSTEMLOCAL SYSTEM

變更帳戶內容Changing Account Properties

重要

  • 請一律利用 [SQL Server]SQL Server 工具 (如 [SQL Server]SQL Server 組態管理員) 來變更 SQL Server Database EngineSQL Server Database Engine[SQL Server]SQL Server Agent 服務所用的帳戶,或變更帳戶的密碼。Always use [SQL Server]SQL Server tools such as [SQL Server]SQL Server Configuration Manager to change the account used by the SQL Server Database EngineSQL Server Database Engine or [SQL Server]SQL Server Agent services, or to change the password for the account. 除了變更帳戶名稱之外, [SQL Server]SQL Server 組態管理員也會執行其他組態,例如,更新 Windows 本機安全存放區,它會保護 Database EngineDatabase Engine的服務主要金鑰。In addition to changing the account name, [SQL Server]SQL Server Configuration Manager performs additional configuration such as updating the Windows local security store which protects the service master key for the Database EngineDatabase Engine. 其他工具 (例如 Windows 服務控制管理員) 可以變更帳戶名稱,但無法變更所有必要的設定。Other tools such as the Windows Services Control Manager can change the account name but do not change all the required settings.
    • 對於您在 SharePoint 伺服陣列中部署的 Analysis ServicesAnalysis Services 執行個體,請一律使用 SharePoint 管理中心來變更 PowerPivot 服務PowerPivot service 應用程式和 Analysis Services 服務Analysis Services service的伺服器帳戶。For Analysis ServicesAnalysis Services instances that you deploy in a SharePoint farm, always use SharePoint Central Administration to change the server accounts for PowerPivot 服務PowerPivot service applications and the Analysis Services 服務Analysis Services service. 當您使用管理中心時,相關聯的設定和權限都會更新為使用新的帳戶資訊。Associated settings and permissions are updated to use the new account information when you use Central Administration.
    • 若要變更 Reporting ServicesReporting Services 選項,請使用 Reporting Services 組態工具。To change Reporting ServicesReporting Services options, use the Reporting Services Configuration Tool.

提供的 Windows 7 和 Windows Server 2008 R2 的新帳戶類型New Account Types Available with Windows 7 and Windows Server 2008 R2

Windows 7 和 Windows Server 2008 R2 有兩種新的服務帳戶類型,分別稱為「受管理的服務帳戶」(Managed Service Account,MSA) 和「虛擬帳戶」(Virtual Account)。Windows 7 and Windows Server 2008 R2 have two new types of service accounts called managed service accounts (MSA) and virtual accounts. 受管理的服務帳戶和虛擬帳戶的設計在於提供重要的應用程式 (例如 [SQL Server]SQL Server ) 並與自己的帳戶隔離,同時不需系統管理員手動管理服務主要名稱 (SPN) 和這些帳戶的認證。Managed service accounts and virtual accounts are designed to provide crucial applications such as [SQL Server]SQL Server with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the Service Principal Name (SPN) and credentials for these accounts. 這些帳戶可讓長期管理服務帳戶使用者、密碼和 SPN 的工作更輕鬆。These make long term management of service account users, passwords and SPNs much easier.

  • Managed Service AccountsManaged Service Accounts

    受管理的服務帳戶 (MSA) 是一種網域帳戶,由網域控制站建立和管理。A Managed Service Account (MSA) is a type of domain account created and managed by the domain controller. 這個帳戶會指派給執行服務的單一成員電腦使用。It is assigned to a single member computer for use running a service. 密碼是由網域控制站自動管理。The password is managed automatically by the domain controller. 您無法使用 MSA 登入電腦,但是電腦可以使用 MSA 啟動 Windows 服務。You cannot use a MSA to log into a computer, but a computer can use a MSA to start a Windows service. MSA 能夠向 Active Directory 註冊服務主要名稱 (SPN)。An MSA has the ability to register Service Principal Name (SPN) with the Active Directory. MSA 的命名包含 $ 後置詞,例如 DOMAIN\ACCOUNTNAME$A MSA is named with a $ suffix, for example DOMAIN\ACCOUNTNAME$. 指定 MSA 時,讓密碼空白。When specifying a MSA, leave the password blank. 由於 MSA 是指派給單一電腦,而不能用於 Windows 叢集的不同節點上。Because a MSA is assigned to a single computer, it cannot be used on different nodes of a Windows cluster.

    注意

    網域系統管理員必須先在 Active Directory 中建立 MSA, [SQL Server]SQL Server 安裝程式才能將其用於 [SQL Server]SQL Server 服務。The MSA must be created in the Active Directory by the domain administrator before [SQL Server]SQL Server setup can use it for [SQL Server]SQL Server services.

  • 群組受管理的服務帳戶Group Managed Service Accounts

    群組受管理的服務帳戶是適用於多部伺服器的 MSA。A Group Managed Service Account is an MSA for multiple servers. Windows 會為伺服器群組上執行的服務管理服務。Windows manages a service account for services running on a group of servers. Active Directory 會自動更新群組受管理的服務帳戶密碼,不需要重新啟動服務。Active Directory automatically updates the group managed service account password without restarting services. 您可以設定 SQL Server 服務,以使用群組受管理的服務帳戶主體。You can configure SQL Server services to use a group managed service account principal. 從 SQL Server 2014 開始,SQL Server 支援 Windows Server 2012 R2 和更新版本上,適用於獨立執行個體、容錯移轉叢集執行個體和可用性群組的群組受管理的服務帳戶。Beginning with SQL Server 2014, SQL Server supports group managed service accounts on Windows Server 2012 R2 and later for standalone instances, failover cluster instances, and availability groups.

    若要針對 SQL Server 2014 或更新版本使用群組受管理的服務帳戶,作業系統必須是 Windows Server 2012 R2 或更新版本。To use a group managed service account for SQL Server 2014 or later, the operating system must be Windows Server 2012 R2 or later. Windows Server 2012 R2 的伺服器需要套用 KB 2998082 ,以便服務可以在變更密碼之後立即登入,不會中斷。Servers with Windows Server 2012 R2 require KB 2998082 applied so that the services can log in without disruption immediately after a password change.

    如需詳細資訊,請參閱 群組受管理的服務帳戶For more information, see Group Manged Service Accounts

    注意

    網域系統管理員必須先在 Active Directory 中建立群組受管理的服務帳戶, [SQL Server]SQL Server 安裝程式才能將其用於 [SQL Server]SQL Server 服務。The group managed service account must be created in the Active Directory by the domain administrator before [SQL Server]SQL Server setup can use it for [SQL Server]SQL Server services.

  • 虛擬帳戶Virtual Accounts

    虛擬帳戶 (從 Windows Server 2008 R2 和 Windows 7 開始) 為「受管理的本機帳戶」 ,並會提供下列功能來簡化服務管理工作。Virtual accounts (beginning with Windows Server 2008 R2 and Windows 7) are managed local accounts that provide the following features to simplify service administration. 虛擬帳戶是自動管理的,而且虛擬帳戶可以在網域環境中存取網路。The virtual account is auto-managed, and the virtual account can access the network in a domain environment. 如果在 [SQL Server]SQL Server 的安裝期間針對服務帳戶使用預設值,則會使用以執行個體名稱作為服務名稱的虛擬帳戶,其格式為 NT SERVICE\<服務名稱>。If the default value is used for the service accounts during [SQL Server]SQL Server setup, a virtual account using the instance name as the service name is used, in the format **NT SERVICE\<SERVICENAME>. 以虛擬帳戶執行的服務,會利用電腦帳戶的認證存取網路資源,其格式為 <網域名稱>*\<電腦名稱>$*。Services that run as virtual accounts access network resources by using the credentials of the computer account in the format *<domain_name>\<computer_name>$*. 指定虛擬帳戶啟動 [SQL Server]SQL Server 時,請讓密碼空白。When specifying a virtual account to start [SQL Server]SQL Server, leave the password blank. 如果虛擬帳戶無法註冊服務主要名稱 (SPN),請手動註冊 SPN。If the virtual account fails to register the Service Principal Name (SPN), register the SPN manually. 如需手動註冊 SPN 的詳細資訊,請參閱 手動 SPN 註冊For more information on registering a SPN manually, see Manual SPN Registration.

    注意

    虛擬帳戶無法用於 [SQL Server]SQL Server 容錯移轉叢集執行個體,因為虛擬帳戶在叢集的每一個節點上不會有相同的 SID。Virtual accounts cannot be used for [SQL Server]SQL Server Failover Cluster Instance, because the virtual account would not have the same SID on each node of the cluster.

    下表列出虛擬帳戶名稱的範例。The following table lists examples of virtual account names.

    服務Service 虛擬帳戶名稱Virtual Account Name
    Database EngineDatabase Engine 服務的預設執行個體Default instance of the Database EngineDatabase Engine service NT SERVICE\MSSQLSERVERNT SERVICE\MSSQLSERVER
    名為 Database EngineDatabase Engine服務的具名執行個體Named instance of a Database EngineDatabase Engine service named PAYROLL NT SERVICE\MSSQL$PAYROLLNT SERVICE\MSSQL$PAYROLL
    [SQL Server]SQL Server 預設執行個體上的 [SQL Server]SQL Server Agent service on the default instance of [SQL Server]SQL Server NT SERVICE\SQLSERVERAGENTNT SERVICE\SQLSERVERAGENT
    名為[SQL Server]SQL Server 執行個體上的 [SQL Server]SQL Server執行個體上的Agent 服務[SQL Server]SQL Server Agent service on an instance of [SQL Server]SQL Server named PAYROLL NT SERVICE\SQLAGENT$PAYROLLNT SERVICE\SQLAGENT$PAYROLL

    如需受管理的服務帳戶和虛擬帳戶的詳細資訊,請參閱服務帳戶的逐步指南受管理的服務帳戶和虛擬帳戶概念一節,以及受管理的服務帳戶常見問題集 (FAQ)For more information on Managed Service Accounts and Virtual Accounts, see the Managed service account and virtual account concepts section of Service Accounts Step-by-Step Guide and Managed Service Accounts Frequently Asked Questions (FAQ).

    安全性注意事項:永遠使用可能的最低使用者權限來執行 SQL Server 服務。Always run SQL Server services by using the lowest possible user rights.如果可行,請使用 MSA虛擬帳戶Security Note: 永遠使用可能的最低使用者權限來執行 SQL Server 服務。Always run SQL Server services by using the lowest possible user rights. Use a MSA or virtual account when possible. 如果無法使用 MSA 或虛擬帳戶,請使用特定低權限的使用者帳戶或網域帳戶,而不要使用 [SQL Server]SQL Server 服務的共用帳戶。When MSA and virtual accounts are not possible, use a specific low-privilege user account or domain account instead of a shared account for [SQL Server]SQL Server services. 針對不同的 [SQL Server]SQL Server 服務使用個別的帳戶。Use separate accounts for different [SQL Server]SQL Server services. 請勿將其他權限授與 [SQL Server]SQL Server 服務帳戶或服務群組。Do not grant additional permissions to the [SQL Server]SQL Server service account or the service groups. 權限將透過群組成員資格授與,或直接授與服務 SID (如果支援服務 SID)。Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported.

自動啟動Automatic Startup

除了具有使用者帳戶之外,每項服務有三個可能的啟動狀態供使用者控制:In addition to having user accounts, every service has three possible startup states that users can control:

  • 已停用 :已安裝服務但目前未執行。Disabled The service is installed but not currently running.

  • 手動 :已安裝此服務,但只有另一項服務或應用程式需要它的功能時才會啟動。Manual The service is installed, but will start only when another service or application needs its functionality.

  • 自動 :服務會由作業系統自動啟動。Automatic The service is automatically started by the operating system.

    啟動狀態會在安裝過程中選取。The startup state is selected during setup. 安裝具名執行個體時, [SQL Server]SQL Server Browser 服務應該設定為自動啟動。When installing a named instance, the [SQL Server]SQL Server Browser service should be set to start automatically.

在自動安裝期間設定服務Configuring Services During Unattended Installation

下表顯示可以在安裝期間設定的 [SQL Server]SQL Server 服務。The following table shows the [SQL Server]SQL Server services that can be configured during installation. 若為自動安裝,您可以在組態檔案中或從命令提示字元使用這些參數。For unattended installations, you can use the switches in a configuration file or at a command prompt.

SQL Server 服務名稱SQL Server service name 自動安裝的參數1Switches for unattended installations1
MSSQLSERVERMSSQLSERVER SQLSVCACCOUNT、SQLSVCPASSWORD、SQLSVCSTARTUPTYPESQLSVCACCOUNT, SQLSVCPASSWORD, SQLSVCSTARTUPTYPE
SQLServerAgent2SQLServerAgent2 AGTSVCACCOUNT、AGTSVCPASSWORD、AGTSVCSTARTUPTYPEAGTSVCACCOUNT, AGTSVCPASSWORD, AGTSVCSTARTUPTYPE
MSSQLServerOLAPServiceMSSQLServerOLAPService ASSVCACCOUNT、ASSVCPASSWORD、ASSVCSTARTUPTYPEASSVCACCOUNT, ASSVCPASSWORD, ASSVCSTARTUPTYPE
ReportServerReportServer RSSVCACCOUNT、RSSVCPASSWORD、RSSVCSTARTUPTYPERSSVCACCOUNT, RSSVCPASSWORD, RSSVCSTARTUPTYPE
Integration ServicesIntegration Services ISSVCACCOUNT、ISSVCPASSWORD、ISSVCSTARTUPTYPEISSVCACCOUNT, ISSVCPASSWORD, ISSVCSTARTUPTYPE
[SQL Server]SQL Server Distributed Replay Controller Distributed Replay Controller DRU_CTLR、CTLRSVCACCOUNT、CTLRSVCPASSWORD、CTLRSTARTUPTYPE、CTLRUSERSDRU_CTLR, CTLRSVCACCOUNT,CTLRSVCPASSWORD, CTLRSTARTUPTYPE, CTLRUSERS
[SQL Server]SQL Server Distributed Replay Client Distributed Replay Client DRU_CLT、CLTSVCACCOUNT、CLTSVCPASSWORD、CLTSTARTUPTYPE、CLTCTLRNAME、CLTWORKINGDIR、CLTRESULTDIRDRU_CLT, CLTSVCACCOUNT, CLTSVCPASSWORD, CLTSTARTUPTYPE, CLTCTLRNAME, CLTWORKINGDIR, CLTRESULTDIR

1如需詳細資訊和範例語法,以執行自動安裝,請參閱 < 從命令提示字元安裝 SQL Server 20141For more information and sample syntax for unattended installations, see Install SQL Server 2014 from the Command Prompt.

2[SQL Server]SQL Server的執行個體上的代理程式服務已停用SQL Server ExpressSQL Server ExpressSQL Server ExpressSQL Server Expresswith Advanced Services。2The [SQL Server]SQL Server Agent service is disabled on instances of SQL Server ExpressSQL Server Express and SQL Server ExpressSQL Server Express with Advanced Services.

防火牆通訊埠Firewall Port

大部分情況下,在初始安裝時, Database EngineDatabase Engine 可以藉由像是與 Transact-SQLSQL Server Management Studio 安裝在同一部電腦上的 [SQL Server]SQL Server這類工具進行連接。In most cases, when initially installed, the Database EngineDatabase Engine can be connected to by tools such as Transact-SQLSQL Server Management Studio installed on the same computer as [SQL Server]SQL Server. [SQL Server]SQL Server 安裝程式不會在 Windows 防火牆中開啟通訊埠。 Setup does not open ports in the Windows firewall. 除非將 Database EngineDatabase Engine 設定為在 TCP 通訊埠上接聽,而且已在 Windows 防火牆中開啟適當的通訊埠進行連接,否則無法從其他電腦連接。Connections from other computers may not be possible until the Database EngineDatabase Engine is configured to listen on a TCP port, and the appropriate port is opened for connections in the Windows firewall. 如需詳細資訊,請參閱 設定 Windows 防火牆以允許 SQL Server 存取For more information, see Configure the Windows Firewall to Allow SQL Server Access.

服務權限Service Permissions

本節描述 [SQL Server]SQL Server 安裝程式針對 [SQL Server]SQL Server 服務的個別服務 SID 設定的權限。This section describes the permissions that [SQL Server]SQL Server Setup configures for the per-service SID’s of the [SQL Server]SQL Server services.

服務組態和存取控制Service Configuration and Access Control

SQL Server 2014SQL Server 2014 會對它的每個服務啟用個別服務 SID,以提供深度的服務隔離和防禦。 enables per-service SID for each of its services to provide service isolation and defense in depth. 每個服務 SID 都是衍生自服務名稱,而且是該服務專用的。The per-service SID is derived from the service name and is unique to that service. 例如,Database EngineDatabase Engine 服務的服務 SID 名稱可能是 NT Service\MSSQL$<執行個體名稱>For example, a service SID name for the Database EngineDatabase Engine service might be NT Service\MSSQL$<InstanceName>. 服務隔離可讓服務存取特定物件,而不需要以高權限帳戶執行或降低物件的安全性保護。Service isolation enables access to specific objects without the need to run a high-privilege account or weaken the security protection of the object. [SQL Server]SQL Server 服務可以透過使用包含服務 SID 的存取控制項目,來限制其資源的存取權。By using an access control entry that contains a service SID, a [SQL Server]SQL Server service can restrict access to its resources.

注意

在 Windows 7 和 Windows Server 2008Windows Server 2008 R2 (以及更新版本) 上,個別服務 SID 可以是服務所使用的虛擬帳戶。On Windows 7 and Windows Server 2008Windows Server 2008 R2 (and later) the per-service SID can be the virtual account used by the service.

針對大部分元件, [SQL Server]SQL Server 會直接為個別服務帳戶設定 ACL,因此不需重複資源 ACL 程序即可變更服務帳戶。For most components [SQL Server]SQL Server configures the ACL for the per-service account directly, so changing the service account can be done without having to repeat the resource ACL process.

安裝 SSASSSAS時,會建立 Analysis ServicesAnalysis Services 的個別服務 SID。When installing SSASSSAS, a per-service SID for the Analysis ServicesAnalysis Services service is created. 另外還會建立本機的 Windows 群組,其命名格式為 SQLServerMSASUser$computer_name$instance_nameA local Windows group is created, named in the format SQLServerMSASUser$computer_name$instance_name. 個別服務 SID NT SERVICE\MSSQLServerOLAPService 會在本機 Windows 群組中授與成員資格,而本機 Windows 群組則是在 ACL 中授與適當的權限。The per-service SID NT SERVICE\MSSQLServerOLAPService is granted membership in the local Windows group, and the local Windows group is granted the appropriate permissions in the ACL. 如果用來啟動 Analysis ServicesAnalysis Services 服務的帳戶變更, [SQL Server]SQL Server 組態管理員就必須變更部分 Windows 授權 (例如,以服務登入的權利),不過指派給本機 Windows 群組的權限仍然可以使用,而且不會有任何更新,因為個別服務 SID 並未變更。If the account used to start the Analysis ServicesAnalysis Services service is changed, [SQL Server]SQL Server Configuration Manager must change some Windows permissions (such as the right to log on as a service), but the permissions assigned to the local Windows group will still be available without any updating, because the per-service SID has not changed. 這個方法可讓 Analysis ServicesAnalysis Services 服務在升級期間重新命名。This method allows the Analysis ServicesAnalysis Services service to be renamed during upgrades.

在安裝 [SQL Server]SQL Server 期間, [SQL Server]SQL Server 安裝程式會為 SSASSSAS[SQL Server]SQL Server Browser 服務建立本機 Windows 群組。During [SQL Server]SQL Server installation, [SQL Server]SQL Server Setup creates a local Windows groups for SSASSSAS and the [SQL Server]SQL Server Browser service. 針對這些服務, [SQL Server]SQL Server 會為本機 Windows 群組設定 ACL。For these services, [SQL Server]SQL Server configures the ACL for the local Windows groups.

根據服務組態,在安裝或升級期間服務帳戶或服務 SID 會加入做為服務群組成員。Depending on the service configuration, the service account for a service or service SID is added as a member of the service group during install or upgrade.

Windows 權限和權利Windows Privileges and Rights

指派為用來啟動服務的帳戶需要有服務的 啟動、停止和暫停權限The account assigned to start a service needs the Start, stop and pause permission for the service. [SQL Server]SQL Server 安裝程式會自動指派此權限。The [SQL Server]SQL Server Setup program automatically assigns this. 請先安裝遠端伺服器管理工具 (RSAT)。First install Remote Server Administration Tools (RSAT). 請參閱< 適用 Windows 7 的遠端伺服器管理工具>。See Remote Server Administration Tools for Windows 7.

下表顯示 [SQL Server]SQL Server 安裝程式要求 [SQL Server]SQL Server 元件所使用之個別服務 SID 或本機 Windows 群組需要有的權限。The following table shows permissions that [SQL Server]SQL Server Setup requests for the per-service SIDs or local Windows groups used by [SQL Server]SQL Server components.

[SQL Server]SQL Server 服務 Service [SQL Server]SQL Server 安裝程式授與的權限Permissions granted by [SQL Server]SQL Server Setup
SQL Server Database EngineSQL Server Database EngineSQL Server Database EngineSQL Server Database Engine:

(所有權利都會授與個別服務 SID。(All rights are granted to the per-service SID. 預設執行個體: NT SERVICE\MSSQLSERVERDefault instance: NT SERVICE\MSSQLSERVER. 具名執行個體: NT SERVICE\MSSQL$ InstanceName)。Named instance: NT SERVICE\MSSQL$ InstanceName.)
以服務方式登入 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

取代處理序層級 Token (SeAssignPrimaryTokenPrivilege)Replace a process-level token (SeAssignPrimaryTokenPrivilege)

略過周遊檢查 (SeChangeNotifyPrivilege)Bypass traverse checking (SeChangeNotifyPrivilege)

調整處理序的記憶體配額 (SeIncreaseQuotaPrivilege)Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

啟動 SQL 寫入器的權限Permission to start SQL Writer

讀取事件記錄檔服務的權限Permission to read the Event Log service

讀取遠端程序呼叫服務的權限Permission to read the Remote Procedure Call service
[SQL Server]SQL Server 代理程式: 1[SQL Server]SQL Server Agent: 1

(所有權利都會授與個別服務 SID。(All rights are granted to the per-service SID. 預設執行個體: NT Service\SQLSERVERAGENTDefault instance: NT Service\SQLSERVERAGENT. 具名執行個體:NT Service\SQLAGENT$InstanceName。)Named instance: NT Service\SQLAGENT$InstanceName.)
以服務方式登入 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

取代處理序層級 Token (SeAssignPrimaryTokenPrivilege)Replace a process-level token (SeAssignPrimaryTokenPrivilege)

略過周遊檢查 (SeChangeNotifyPrivilege)Bypass traverse checking (SeChangeNotifyPrivilege)

調整處理序的記憶體配額 (SeIncreaseQuotaPrivilege)Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
SSASSSASSSASSSAS:

(所有權利都會授與本機 Windows 群組。(All rights are granted to a local Windows group. 預設執行個體:SQLServerMSASUser$ComputerName$MSSQLSERVERDefault instance: SQLServerMSASUser$ComputerName$MSSQLSERVER. 具名執行個體:SQLServerMSASUser$ComputerName$InstanceNameNamed instance: SQLServerMSASUser$ComputerName$InstanceName. PowerPivot for SharePointPowerPivot for SharePoint 執行個體:SQLServerMSASUser$ComputerName$PowerPivot。) instance: SQLServerMSASUser$ComputerName$PowerPivot.)
以服務方式登入 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

僅限表格式:For tabular only:

增加處理程序工作組 (SeIncreaseWorkingSetPrivilege)Increase a process working set (SeIncreaseWorkingSetPrivilege)

調整處理序的記憶體配額 (SeIncreaseQuotaSizePrivilege)Adjust memory quotas for a process (SeIncreaseQuotaSizePrivilege)

鎖定記憶體中的分頁 (SeLockMemoryPrivilege) – 其只有在分頁完全關閉時才需要。Lock pages in memory (SeLockMemoryPrivilege) – this is needed only when paging is turned off entirely.

僅限容錯移轉叢集安裝:For failover cluster installations only:

增加排程優先順序 (SeIncreaseBasePriorityPrivilege)Increase scheduling priority (SeIncreaseBasePriorityPrivilege)
SSRSSSRSSSRSSSRS:

(所有權利都會授與個別服務 SID。(All rights are granted to the per-service SID. 預設執行個體:NT SERVICE\ReportServerDefault instance: NT SERVICE\ReportServer. 具名執行個體: NT SERVICE\$ * * * 執行個體名稱*。)Named instance: **NT SERVICE\$InstanceName.)
以服務方式登入 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)
SSISSSISSSISSSIS:

(所有權利都會授與個別服務 SID。(All rights are granted to the per-service SID. 預設執行個體與具名執行個體: NT SERVICE\MsDtsServer120Default instance and named instance: NT SERVICE\MsDtsServer120. Integration ServicesIntegration Services 沒有具名執行個體的個別處理序。) does not have a separate process for a named instance.)
以服務方式登入 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

寫入應用程式事件記錄檔的權限。Permission to write to application event log.

略過周遊檢查 (SeChangeNotifyPrivilege)Bypass traverse checking (SeChangeNotifyPrivilege)

在驗證之後模擬用戶端 (SeImpersonatePrivilege)Impersonate a client after authentication (SeImpersonatePrivilege)
全文檢索搜尋:Full-text search:

(所有權利都會授與個別服務 SID。(All rights are granted to the per-service SID. 預設執行個體: NT Service\MSSQLFDLauncherDefault instance: NT Service\MSSQLFDLauncher. 具名執行個體:NT Service\ MSSQLFDLauncher$InstanceName。)Named instance: NT Service\ MSSQLFDLauncher$InstanceName.)
以服務方式登入 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

調整處理序的記憶體配額 (SeIncreaseQuotaPrivilege)Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

略過周遊檢查 (SeChangeNotifyPrivilege)Bypass traverse checking (SeChangeNotifyPrivilege)
[SQL Server]SQL Server Browser:[SQL Server]SQL Server Browser:

(所有權利都會授與本機 Windows 群組。(All rights are granted to a local Windows group. 預設或具名執行個體:SQLServer2005SQLBrowserUser$ComputerNameDefault or named instance: SQLServer2005SQLBrowserUser$ComputerName. [SQL Server]SQL Server Browser 的具名執行個體沒有個別處理序)。 Browser does not have a separate process for a named instance.)
以服務方式登入 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)
[SQL Server]SQL Server VSS Writer:[SQL Server]SQL Server VSS Writer:

(所有權利都會授與個別服務 SID。(All rights are granted to the per-service SID. 預設或具名執行個體: NT Service\SQLWriterDefault or named instance: NT Service\SQLWriter. [SQL Server]SQL Server VSS Writer 的具名執行個體沒有個別處理序。) VSS Writer does not have a separate process for a named instance.)
SQLWriter 服務會以 LOCAL SYSTEM 帳戶執行,該帳戶擁有所有必要的權限。The SQLWriter service runs under the LOCAL SYSTEM account which has all the required permissions. [SQL Server]SQL Server 安裝程式不會檢查或授與此服務的權限。 setup does not check or grant permissions for this service.
[SQL Server]SQL Server Distributed Replay Controller:[SQL Server]SQL Server Distributed Replay Controller: 以服務方式登入 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)
[SQL Server]SQL Server Distributed Replay Client:[SQL Server]SQL Server Distributed Replay Client: 以服務方式登入 (SeServiceLogonRight)Log on as a service (SeServiceLogonRight)

1[SQL Server]SQL Server的執行個體上的代理程式服務已停用SQL Server ExpressSQL Server Express1The [SQL Server]SQL Server Agent service is disabled on instances of SQL Server ExpressSQL Server Express.

授與 SQL Server 個別服務 SID 或本機 Windows 群組的檔案系統權限File System Permissions Granted to SQL Server Per-service SIDs or Local Windows Groups

[SQL Server]SQL Server 服務帳戶必須有資源的存取權。 service accounts must have access to resources. 存取控制清單會針對個別服務 SID 或本機 Windows 群組設定。Access control lists are set for the per-service SID or the local Windows group.

重要

若為容錯移轉叢集安裝,則必須對本機帳戶的 ACL 設定共用磁碟上的資源。For failover cluster installations, resources on shared disks must be set to an ACL for a local account.

下表顯示 [SQL Server]SQL Server 安裝程式所設定的 ACL:The following table shows the ACLs that are set by [SQL Server]SQL Server Setup:

服務帳戶Service account for 檔案和資料夾Files and folders 存取Access
MSSQLServerMSSQLServer Instid\MSSQL\backupInstid\MSSQL\backup 完整控制Full control
Instid\MSSQL\binnInstid\MSSQL\binn 讀取、執行Read, Execute
Instid\MSSQL\dataInstid\MSSQL\data 完整控制Full control
Instid\MSSQL\FTDataInstid\MSSQL\FTData 完整控制Full control
Instid\MSSQL\InstallInstid\MSSQL\Install 讀取、執行Read, Execute
Instid\MSSQL\LogInstid\MSSQL\Log 完整控制Full control
Instid\MSSQL\RepldataInstid\MSSQL\Repldata 完整控制Full control
120\shared120\shared 讀取、執行Read, Execute
Instid\MSSQL\Template Data (僅限SQL Server ExpressSQL Server Express )Instid\MSSQL\Template Data (SQL Server ExpressSQL Server Express only) 讀取Read
SQLServerAgent1SQLServerAgent1 Instid\MSSQL\binnInstid\MSSQL\binn 完整控制Full control
Instid\MSSQL\binnInstid\MSSQL\binn 完整控制Full control
Instid\MSSQL\LogInstid\MSSQL\Log 讀取、寫入、刪除、執行Read, Write, Delete, Execute
120\com120\com 讀取、執行Read, Execute
120\shared120\shared 讀取、執行Read, Execute
120\shared\Errordumps120\shared\Errordumps 讀取、寫入Read, Write
ServerName\EventLogServerName\EventLog 完整控制Full control
FTSFTS Instid\MSSQL\FTDataInstid\MSSQL\FTData 完整控制Full control
Instid\MSSQL\FTRefInstid\MSSQL\FTRef 讀取、執行Read, Execute
120\shared120\shared 讀取、執行Read, Execute
120\shared\Errordumps120\shared\Errordumps 讀取、寫入Read, Write
Instid\MSSQL\InstallInstid\MSSQL\Install 讀取、執行Read, Execute
Instid\MSSQL\jobsInstid\MSSQL\jobs 讀取、寫入Read, Write
MSSQLServerOLAPserviceMSSQLServerOLAPservice 120\shared\ASConfig120\shared\ASConfig 完整控制Full control
Instid\OLAPInstid\OLAP 讀取、執行Read, Execute
Instid\Olap\DataInstid\Olap\Data 完整控制Full control
Instid\Olap\LogInstid\Olap\Log 讀取、寫入Read, Write
Instid\OLAP\BackupInstid\OLAP\Backup 讀取、寫入Read, Write
Instid\OLAP\TempInstid\OLAP\Temp 讀取、寫入Read, Write
120\shared\Errordumps120\shared\Errordumps 讀取、寫入Read, Write
SQLServerReportServerUserSQLServerReportServerUser Instid\Reporting Services\Log FilesInstid\Reporting Services\Log Files 讀取、寫入、刪除Read, Write, Delete
Instid\Reporting Services\ReportServerInstid\Reporting Services\ReportServer 讀取、執行Read, Execute
Instid\Reportingservices\Reportserver\global.asaxInstid\Reportingservices\Reportserver\global.asax 完整控制Full control
Instid\Reportingservices\Reportserver\Reportserver.configInstid\Reportingservices\Reportserver\Reportserver.config 讀取Read
Instid\Reporting Services\reportManagerInstid\Reporting Services\reportManager 讀取、執行Read, Execute
Instid\Reporting Services\RSTempfilesInstid\Reporting Services\RSTempfiles 讀取、寫入、執行、刪除Read, Write, Execute, Delete
120\shared120\shared 讀取、執行Read, Execute
120\shared\Errordumps120\shared\Errordumps 讀取、寫入Read, Write
MSDTSServer100MSDTSServer100 120\dts\binn\MsDtsSrvr.ini.xml120\dts\binn\MsDtsSrvr.ini.xml 讀取Read
120\dts\binn120\dts\binn 讀取、執行Read, Execute
120\shared120\shared 讀取、執行Read, Execute
120\shared\Errordumps120\shared\Errordumps 讀取、寫入Read, Write
[SQL Server]SQL Server Browser Browser 120\shared\ASConfig120\shared\ASConfig 讀取Read
120\shared120\shared 讀取、執行Read, Execute
120\shared\Errordumps120\shared\Errordumps 讀取、寫入Read, Write
SQLWriterSQLWriter N/A (以本機系統執行)N/A (Runs as local system)
使用者User Instid\MSSQL\binnInstid\MSSQL\binn 讀取、執行Read, Execute
Instid\Reporting Services\ReportServerInstid\Reporting Services\ReportServer 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents
Instid\Reportingservices\Reportserver\global.asaxInstid\Reportingservices\Reportserver\global.asax 讀取Read
Instid\Reporting Services\reportManagerInstid\Reporting Services\ReportManager 讀取、執行Read, Execute
Instid\Reporting Services\ReportManager\pagesInstid\Reporting Services\ReportManager\pages 讀取Read
Instid\Reporting Services\ReportManager\StylesInstid\Reporting Services\ReportManager\Styles 讀取Read
120\dts120\dts 讀取、執行Read, Execute
120\tools120\tools 讀取、執行Read, Execute
100\tools100\tools 讀取、執行Read, Execute
90\tools90\tools 讀取、執行Read, Execute
80\tools80\tools 讀取、執行Read, Execute
120\sdk120\sdk 讀取Read
Microsoft SQL Server\120\Setup BootstrapMicrosoft SQL Server\120\Setup Bootstrap 讀取、執行Read, Execute
[SQL Server]SQL Server Distributed Replay Controller Distributed Replay Controller <ToolsDir>\DReplayController\Log\ (空目錄)<ToolsDir>\DReplayController\Log\ (empty directory) 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\DReplayController.exe<ToolsDir>\DReplayController\DReplayController.exe 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\resources|讀取、執行、列出資料夾內容<ToolsDir>\DReplayController\resources|Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\{all dlls}<ToolsDir>\DReplayController\{all dlls} 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\DReplayController.config<ToolsDir>\DReplayController\DReplayController.config 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\IRTemplate.tdf<ToolsDir>\DReplayController\IRTemplate.tdf 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\IRDefinition.xml<ToolsDir>\DReplayController\IRDefinition.xml 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents
[SQL Server]SQL Server Distributed Replay Client Distributed Replay Client <ToolsDir>\DReplayClient\Log|讀取、執行、列出資料夾內容<ToolsDir>\DReplayClient\Log|Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\DReplayClient.exe<ToolsDir>\DReplayClient\DReplayClient.exe 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\resources|讀取、執行、列出資料夾內容<ToolsDir>\DReplayClient\resources|Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\ (所有 dll)<ToolsDir>\DReplayClient\ (all dlls) 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\DReplayClient.config<ToolsDir>\DReplayClient\DReplayClient.config 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\IRTemplate.tdf<ToolsDir>\DReplayClient\IRTemplate.tdf 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents
<ToolsDir>\DReplayClient\IRDefinition.xml<ToolsDir>\DReplayClient\IRDefinition.xml 讀取、執行、列出資料夾內容Read, Execute, List Folder Contents

1[SQL Server]SQL Server的執行個體上的代理程式服務已停用SQL Server ExpressSQL Server ExpressSQL Server ExpressSQL Server Expresswith Advanced Services。1The [SQL Server]SQL Server Agent service is disabled on instances of SQL Server ExpressSQL Server Express and SQL Server ExpressSQL Server Express with Advanced Services.

當資料庫檔案儲存於使用者定義的位置時,您必須授與個別服務 SID 對該位置的存取權。When database files are stored in a user-defined location, you must grant the per-service SID access to that location. 如需將檔案系統權限授與個別服務 SID 的詳細資訊,請參閱 設定 Database Engine 對檔案系統的存取權限For more information about granting file system permissions to a per-service SID, see Configure File System Permissions for Database Engine Access.

授與其他 Windows 使用者帳戶或群組的檔案系統權限File System Permissions Granted to Other Windows User Accounts or Groups

某些存取控制權限可能必須授與給內建帳戶或其他 [SQL Server]SQL Server 服務帳戶。Some access control permissions might have to be granted to built-in accounts or other [SQL Server]SQL Server service accounts. 下表列出 [SQL Server]SQL Server 安裝程式所設定的其他 ACL。The following table lists additional ACLs that are set by [SQL Server]SQL Server Setup.

要求元件Requesting component 帳戶Account 資源Resource PermissionsPermissions
MSSQLServerMSSQLServer 效能記錄使用者Performance Log Users Instid\MSSQL\binnInstid\MSSQL\binn 列出資料夾內容List folder contents
效能監視器使用者Performance Monitor Users Instid\MSSQL\binnInstid\MSSQL\binn 列出資料夾內容List folder contents
效能記錄使用者、效能監視器使用者Performance Log Users, Performance Monitor Users \WINNT\system32\sqlctr120.dll\WINNT\system32\sqlctr120.dll 讀取、執行Read, Execute
僅限管理員Administrator only \\.\root\Microsoft\SqlServer\ServerEvents\< sql_instance_name >1\\.\root\Microsoft\SqlServer\ServerEvents\<sql_instance_name>1 完整控制Full control
管理員,系統Administrators, System \tools\binn\schemas\sqlserver\2004\07\showplan\tools\binn\schemas\sqlserver\2004\07\showplan 完整控制Full control
使用者Users \tools\binn\schemas\sqlserver\2004\07\showplan\tools\binn\schemas\sqlserver\2004\07\showplan 讀取、執行Read, Execute
Reporting ServicesReporting Services <報表伺服器 Web 服務帳戶><Report Server Web Service Account> <安裝>\Reporting Services\LogFiles<install> \Reporting Services\LogFiles DeleteDELETE

READ_CONTROLREAD_CONTROL

SYNCHRONIZESYNCHRONIZE

FILE_GENERIC_READFILE_GENERIC_READ

FILE_GENERIC_WRITEFILE_GENERIC_WRITE

FILE_READ_DATAFILE_READ_DATA

FILE_WRITE_DATAFILE_WRITE_DATA

FILE_APPEND_DATAFILE_APPEND_DATA

FILE_READ_EAFILE_READ_EA

FILE_WRITE_EAFILE_WRITE_EA

FILE_READ_ATTRIBUTESFILE_READ_ATTRIBUTES

FILE_WRITE_ATTRIBUTESFILE_WRITE_ATTRIBUTES
報表管理員應用程式集區識別 ASP.NETASP.NET 帳戶,EveryoneReport Manager Application pool identity, ASP.NETASP.NET account, Everyone <安裝>\Reporting Services\ReportManager、<安裝>\Reporting Services\ReportManager\Pages\*.*、<裝>\Reporting Services\ReportManager\Styles\*.*、<安裝>\Reporting Services\ReportManager\webctrl_client\1_0\。*<install>* \Reporting Services\ReportManager, <install> \Reporting Services\ReportManager\Pages\*.*, <install> \Reporting Services\ReportManager\Styles\*.*, <install> \Reporting Services\ReportManager\webctrl_client\1_0\*.* 讀取Read
報表管理員應用程式集區識別Report Manager Application pool identity <安裝>\Reporting Services\ReportManager\Pages\。*<install>* \Reporting Services\ReportManager\Pages\*.* 讀取Read
<報表伺服器 Web 服務帳戶><Report Server Web Service Account> <安裝>\Reporting Services\ReportServer<install> \Reporting Services\ReportServer 讀取Read
<報表伺服器 Web 服務帳戶><Report Server Web Service Account> <安裝>\Reporting Services\ReportServer\global.asax<install> \Reporting Services\ReportServer\global.asax 完整Full
EveryoneEveryone <安裝>\Reporting Services\ReportServer\global.asax<install> \Reporting Services\ReportServer\global.asax READ_CONTROLREAD_CONTROL

FILE_READ_DATAFILE_READ_DATA

FILE_READ_EAFILE_READ_EA

FILE_READ_ATTRIBUTESFILE_READ_ATTRIBUTES
NETWORK SERVICENetwork service <安裝>\Reporting Services\ReportServer\ReportService.asmx<install> \Reporting Services\ReportServer\ReportService.asmx 完整Full
EveryoneEveryone <安裝>\Reporting Services\ReportServer\ReportService.asmx<install> \Reporting Services\ReportServer\ReportService.asmx READ_CONTROLREAD_CONTROL

SYNCHRONIZE FILE_GENERIC_READSYNCHRONIZE FILE_GENERIC_READ

FILE_GENERIC_EXECUTEFILE_GENERIC_EXECUTE

FILE_READ_DATAFILE_READ_DATA

FILE_READ_EAFILE_READ_EA

FILE_EXECUTEFILE_EXECUTE

FILE_READ_ATTRIBUTESFILE_READ_ATTRIBUTES
報表伺服器 Windows 服務帳戶ReportServer Windows Services Account <安裝\Reporting Services\ReportServer\RSReportServer.config<install> \Reporting Services\ReportServer\RSReportServer.config DeleteDELETE

READ_CONTROLREAD_CONTROL

SYNCHRONIZESYNCHRONIZE

FILE_GENERIC_READFILE_GENERIC_READ

FILE_GENERIC_WRITEFILE_GENERIC_WRITE

FILE_READ_DATAFILE_READ_DATA

FILE_WRITE_DATAFILE_WRITE_DATA

FILE_APPEND_DATAFILE_APPEND_DATA

FILE_READ_EAFILE_READ_EA

FILE_WRITE_EAFILE_WRITE_EA

FILE_READ_ATTRIBUTESFILE_READ_ATTRIBUTES

FILE_WRITE_ATTRIBUTESFILE_WRITE_ATTRIBUTES
EveryoneEveryone 報表伺服器索引鍵 (Instid 登錄區)Report Server keys (Instid hive) 查詢值Query Value

列舉子機碼Enumerate SubKeys

通知Notify

讀取控制Read Control
終端服務使用者Terminal Services User 報表伺服器索引鍵 (Instid 登錄區)Report Server keys (Instid hive) 查詢值Query Value

設定值Set Value

建立子機碼Create SubKey

列舉子機碼Enumerate SubKey

通知Notify

DELETEDelete

讀取控制Read Control
進階使用者Power Users 報表伺服器索引鍵 (Instid 登錄區)Report Server keys (Instid hive) 查詢值Query Value

設定值Set Value

建立子機碼Create Subkey

列舉子機碼Enumerate Subkeys

通知Notify

DELETEDelete

讀取控制Read Control

1這是 WMI 提供者命名空間。1This is the WMI provider namespace.

與不常見磁碟位置相關的檔案系統權限File System Permissions Related to Unusual Disk Locations

安裝 tempdb 或使用者資料庫時,提供安裝位置的預設磁碟機為 systemdrive,通常是 C 磁碟機。The default drive for locations for installation is systemdrive, normally drive C. When tempdb or user databases are installed

非預設磁碟機Non-default Drive

安裝到非預設磁碟機的本機磁碟機時,個別服務 SID 必須擁有檔案位置的存取權。When installed to a local drive that is not the default drive, the per-service SID must have access to the file location. [SQL Server]SQL Server 安裝程式將提供必要的存取。 Setup will provision the required access.

網路共用Network Share

將資料庫安裝到網路共用時,服務帳戶必須擁有使用者和 tempdb 資料庫之檔案位置的存取權。When databases are installed to a network share, the service account must have access to the file location of the user and tempdb databases. [SQL Server]SQL Server 安裝程式不會提供網路共用的存取。 Setup cannot provision access to a network share. 在執行安裝程式之前,使用者必須先為服務帳戶提供 tempdb 位置的存取。The user must provision access to a tempdb location for the service account before running setup. 使用者在建立資料庫之前,必須先提供使用者資料庫位置的存取。The user must provision access to the user database location before creating the database.

注意

虛擬帳戶無法對遠端位置驗證。Virtual accounts cannot be authenticated to a remote location. 所有虛擬帳戶都使用電腦帳戶的權限。All virtual accounts use the permission of machine account. 使用下列格式提供電腦帳戶:<網域名稱>\<電腦名稱>$Provision the machine account in the format <domain_name>\<computer_name>$.

檢閱其他考量Reviewing Additional Considerations

下表是 [SQL Server]SQL Server 服務提供其他功能時所需的權限。The following table shows the permissions that are required for [SQL Server]SQL Server services to provide additional functionality.

服務/應用程式Service/Application 功能Functionality 必要權限Required permission
[SQL Server]SQL Server (MSSQLSERVER) (MSSQLSERVER) 使用 xp_sendmail 寫入郵件位置。Write to a mail slot using xp_sendmail. 網路寫入權限。Network write permissions.
[SQL Server]SQL Server (MSSQLSERVER) (MSSQLSERVER) [SQL Server]SQL Server 管理員以外的使用者執行 xp_cmdshell。Run xp_cmdshell for a user other than a [SQL Server]SQL Server administrator. 做為作業系統的一部分並取代處理序層級 Token。Act as part of operating system and replace a process-level token.
[SQL Server]SQL Server Agent (MSSQLSERVER) Agent (MSSQLSERVER) 使用自動重新啟動功能。Use the autorestart feature. 必須是管理員本機群組的成員。Must be a member of the Administrators local group.
Database EngineDatabase Engine Tuning Advisor Tuning Advisor 調整資料庫以達到最佳查詢效能。Tunes databases for optimal query performance. 第一次使用時,具有系統管理認證的使用者必須初始化應用程式。On first use, a user who has system administrative credentials must initialize the application. 初始化之後,dbo 使用者使用 Database EngineDatabase Engine Tuning Advisor 只能微調他們擁有的資料表。After initialization, dbo users can use the Database EngineDatabase Engine Tuning Advisor to tune only those tables that they own. 如需詳細資訊,請參閱《 Database EngineDatabase Engine 線上叢書》中的<初始化 [SQL Server]SQL Server Tuning Advisor>。For more information, see "Initializing Database EngineDatabase Engine Tuning Advisor on First Use" in [SQL Server]SQL Server Books Online.

重要

在升級 [SQL Server]SQL Server之前,請先啟用 [SQL Server]SQL Server Agent 的 Windows 驗證,並確認必要的預設組態: [SQL Server]SQL Server Agent 服務帳戶是 [SQL Server]SQL Serversysadmin (系統管理員) 群組的成員。Before you upgrade [SQL Server]SQL Server, enable Windows Authentication for [SQL Server]SQL Server Agent and verify the required default configuration: that the [SQL Server]SQL Server Agent service account is a member of the [SQL Server]SQL Serversysadmin group.

登錄權限Registry Permissions

執行個體感知元件的登錄區會建立在 HKLM\Software\Microsoft\Microsoft SQL Server\<執行個體識別碼> 之下。The registry hive is created under HKLM\Software\Microsoft\Microsoft SQL Server\<Instance_ID> for instance-aware components. 例如:For example

  • HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL12。MyInstanceHKLM\Software\Microsoft\Microsoft SQL Server\MSSQL12.MyInstance

  • HKLM\Software\Microsoft\Microsoft SQL Server\MSASSQL12。MyInstanceHKLM\Software\Microsoft\Microsoft SQL Server\MSASSQL12.MyInstance

  • HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL.120HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL.120

    登錄也會維護執行個體識別碼到執行個體名稱的對應。The registry also maintains a mapping of instance ID to instance name. 執行個體識別碼到執行個體名稱的對應維護如下:Instance ID to instance name mapping is maintained as follows:

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL 伺服器 \ 執行個體 Names\SQL]"InstanceName"="MSSQL12 」[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Names\SQL] "InstanceName"="MSSQL12"

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL 伺服器 \ 執行個體 Names\OLAP]"InstanceName"="MSASSQL12 」[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Names\OLAP] "InstanceName"="MSASSQL12"

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL 伺服器 \ 執行個體 Names\RS]"InstanceName"="MSRSSQL12 」[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Names\RS] "InstanceName"="MSRSSQL12"

WMIWMI

Windows Management Instrumentation (WMI) 必須能夠連接到 Database EngineDatabase EngineWindows Management Instrumentation (WMI) must be able to connect to the Database EngineDatabase Engine. 為支援此功能,會在中提供 Windows WMI 提供者 ( NT SERVICE\winmgmt Database EngineDatabase Engine) 的個別服務 SID。To support this, the per-service SID of the Windows WMI provider (NT SERVICE\winmgmt) is provisioned in the Database EngineDatabase Engine.

SQL WMI 提供者需要下列權限:The SQL WMI provider requires the following permissions:

  • msdb 資料庫中 db_ddladmindb_owner 固定資料庫角色的成員資格。Membership in the db_ddladmin or db_owner fixed database roles in the msdb database.

  • 伺服器中的CREATE DDL EVENT NOTIFICATION 權限。CREATE DDL EVENT NOTIFICATION permission in the server.

  • 中的 CREATE TRACE EVENT NOTIFICATION Database EngineDatabase Engine權限。CREATE TRACE EVENT NOTIFICATION permission in the Database EngineDatabase Engine.

  • VIEW ANY DATABASE 伺服器層級權限。VIEW ANY DATABASE server-level permission.

    [SQL Server]SQL Server 安裝程式會建立 SQL WMI 命名空間,並且將讀取權限授與 [SQL Server]SQL Server Agent 服務 SID。 setup creates a SQL WMI namespace and grants read permission to the [SQL Server]SQL Server Agent service-SID.

具名管道Named Pipes

在所有安裝中, [SQL Server]SQL Server 安裝程式都會透過共用記憶體通訊協定 (它是本機具名管道) 提供 SQL Server Database EngineSQL Server Database Engine 的存取。In all installation, [SQL Server]SQL Server Setup provides access to the SQL Server Database EngineSQL Server Database Engine through the shared memory protocol, which is a local named pipe.

提供Provisioning

本節描述如何在各種 [SQL Server]SQL Server 元件內提供帳戶。This section describes how accounts are provisioned inside the various [SQL Server]SQL Server components.

資料庫引擎提供Database Engine Provisioning

下列帳戶會在 SQL Server Database EngineSQL Server Database Engine中加入為登入。The following accounts are added as logins in the SQL Server Database EngineSQL Server Database Engine.

Windows 主體Windows Principals

在安裝期間, [SQL Server]SQL Server 安裝程式至少需要將一個使用者帳戶命名為 系統管理員 (sysadmin) 固定伺服器角色的成員。During setup, [SQL Server]SQL Server Setup requires at least one user account to be named as a member of the sysadmin fixed server role.

sa 帳戶sa Account

sa 帳戶一律做為 Database EngineDatabase Engine 登入存在,而且是 系統管理員 (sysadmin) 固定伺服器角色的成員。The sa account is always present as a Database EngineDatabase Engine login and is a member of the sysadmin fixed server role. 僅使用 Windows 驗證安裝 Database EngineDatabase Engine (也就是未啟用 [SQL Server]SQL Server 驗證) 時, sa 登入仍然存在,但是會停用。When the Database EngineDatabase Engine is installed using only Windows Authentication (that is when [SQL Server]SQL Server Authentication is not enabled), the sa login is still present but is disabled. 如需啟用 sa 帳戶的詳細資訊,請參閱 變更伺服器驗證模式For information about enabling the sa account, see Change Server Authentication Mode.

SQL Server 個別服務 SID 登入和權限SQL Server Per-service SID Login and Privileges

[SQL Server]SQL Server 服務的個別服務 SID 會做為 Database EngineDatabase Engine 登入提供。The per-service SID of the [SQL Server]SQL Server service is provisioned as a Database EngineDatabase Engine login. 個別服務 SID 登入是 系統管理員 (sysadmin) 固定伺服器角色的成員。The per-service SID login is a member of the sysadmin fixed server role.

SQL Server Agent 登入和權限SQL Server Agent Login and Privileges

[SQL Server]SQL Server Agent 服務的個別服務 SID 會做為 Database EngineDatabase Engine 登入提供。The per-service SID of the [SQL Server]SQL Server Agent service is provisioned as a Database EngineDatabase Engine login. 個別服務 SID 登入是 系統管理員 (sysadmin) 固定伺服器角色的成員。The per-service SID login is a member of the sysadmin fixed server role.

AlwaysOn 可用性群組Always On Availability Groups 和 SQL 容錯移轉叢集執行個體和權限AlwaysOn 可用性群組Always On Availability Groups and SQL Failover Cluster Instance and Privileges

Database EngineDatabase Engine 安裝為 AlwaysOn 可用性群組Always On Availability Groups 或 SQL 容錯移轉叢集執行個體 (SQL FCI) 時,會在 中提供 LOCAL SYSTEM Database EngineDatabase EngineWhen installing the Database EngineDatabase Engine as a AlwaysOn 可用性群組Always On Availability Groups or SQL Failover Cluster Instance (SQL FCI), LOCAL SYSTEM is provisioned in the Database EngineDatabase Engine. LOCAL SYSTEM 登入會獲得授與 ALTER ANY AVAILABILITY GROUP 權限 (適用於 AlwaysOn 可用性群組Always On Availability Groups) 和 VIEW SERVER STATE 權限 (適用於 SQL FCI)。The LOCAL SYSTEM login is granted the ALTER ANY AVAILABILITY GROUP permission (for AlwaysOn 可用性群組Always On Availability Groups) and the VIEW SERVER STATE permission (for SQL FCI).

SQL 寫入器和權限SQL Writer and Privileges

[SQL Server]SQL Server VSS Writer 服務的個別服務 SID 會做為 Database EngineDatabase Engine 登入提供。The per-service SID of the [SQL Server]SQL Server VSS Writer service is provisioned as a Database EngineDatabase Engine login. 個別服務 SID 登入是 系統管理員 (sysadmin) 固定伺服器角色的成員。The per-service SID login is a member of the sysadmin fixed server role.

SQL WMI 和權限SQL WMI and Privileges

[SQL Server]SQL Server 安裝程式會提供 NT SERVICE\Winmgmt 帳戶作為 Database EngineDatabase Engine 登入,並且將它加入 系統管理員 (sysadmin) 固定伺服器角色中。 Setup provisions the NT SERVICE\Winmgmt account as a Database EngineDatabase Engine login and adds it to the sysadmin fixed server role.

SSRS 提供SSRS Provisioning

安裝過程中指定的帳戶會做為 RSExecRole 資料庫角色的成員提供。The account specified during setup is provisioned as a member of the RSExecRole database role. 如需詳細資訊,請參閱《 設定報表伺服器服務帳戶 (SSRS 組態管理員)For more information, see Configure the Report Server Service Account (SSRS Configuration Manager).

SSAS 提供SSAS Provisioning

SSASSSAS 服務帳戶需求會依據您部署伺服器的方式而有所不同。 service account requirements vary depending on how you deploy the server. 如果您要安裝 PowerPivot for SharePointPowerPivot for SharePoint[SQL Server]SQL Server 安裝程式會要求您將 Analysis ServicesAnalysis Services 服務設定為以網域帳戶執行。If you are installing PowerPivot for SharePointPowerPivot for SharePoint, [SQL Server]SQL Server Setup requires that you configure the Analysis ServicesAnalysis Services service to run under a domain account. 網域帳戶是支援 SharePoint 內建的受管理帳戶設備所需。Domain accounts are required to support the managed account facility that is built into SharePoint. 基於這個理由,[SQL Server]SQL Server 安裝程式不會針對 PowerPivot for SharePointPowerPivot for SharePoint 安裝提供預設的服務帳戶 (例如虛擬帳戶)。For this reason, [SQL Server]SQL Server Setup does not provide a default service account, such as a virtual account, for a PowerPivot for SharePointPowerPivot for SharePoint installation. 如需佈建 PowerPivot for SharePoint 的詳細資訊,請參閱設定 PowerPivot 服務帳戶For more information about provisioning PowerPivot for SharePoint, see Configure PowerPivot Service Accounts.

針對所有其他獨立 SSASSSAS 安裝,您可以提供以網域帳戶、內建系統帳戶、受管理的帳戶或虛擬帳戶執行的服務。For all other standalone SSASSSAS installations, you can provision the service to run under a domain account, built-in system account, managed account, or virtual account. 如需佈建帳戶的詳細資訊,請參閱 設定服務帳戶 (Analysis Services)For more information about account provisioning, see Configure Service Accounts (Analysis Services).

針對叢集安裝,您必須指定網域帳戶或內建系統帳戶。For clustered installations, you must specify a domain account or a built-in system account. SSASSSAS 容錯移轉叢集不支援受管理的帳戶,也不支援虛擬帳戶。Neither managed accounts nor virtual accounts are supported for SSASSSAS failover clusters.

所有 SSASSSAS 安裝會要求您指定 Analysis ServicesAnalysis Services 執行個體的系統管理員。All SSASSSAS installations require that you specify a system administrator of the Analysis ServicesAnalysis Services instance. 系統管理員權限會在 Analysis Services Server 角色中提供。Administrator privileges are provisioned in the Analysis Services Server role.

SSRS 提供SSRS Provisioning

安裝過程中指定的帳戶會在 Database EngineDatabase Engine 中做為 RSExecRole 資料庫角色的成員提供。The account specified during setup is provisioned in the Database EngineDatabase Engine as a member of the RSExecRole database role. 如需詳細資訊,請參閱《 設定報表伺服器服務帳戶 (SSRS 組態管理員)For more information, see Configure the Report Server Service Account (SSRS Configuration Manager).

從舊版升級Upgrading From Previous Versions

本節描述從舊版 [SQL Server]SQL Server升級時所做的變更。This section describes the changes made during upgrade from a previous version of [SQL Server]SQL Server.

  • SQL Server 2014SQL Server 2014 需要 Windows Server 2008Windows Server 2008 R2 SP1、Windows Server 2012、Windows 8.0、Windows Server 2012 R2 或 Windows 8.1。 requires Windows Server 2008Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.0, Windows Server 2012 R2, or Windows 8.1, . 在較低作業系統版本上執行的任何舊版 [SQL Server]SQL Server 都必須先將作業系統升級,才能升級 [SQL Server]SQL ServerAny previous version of [SQL Server]SQL Server running on a lower operating system version must have the operating system upgraded before upgrading [SQL Server]SQL Server.

  • 在將 SQL Server 2005SQL Server 2005 升級至 SQL Server 2014SQL Server 2014期間, [SQL Server]SQL Server 安裝程式將以下列方式設定 [SQL Server]SQL ServerDuring upgrade of SQL Server 2005SQL Server 2005 to SQL Server 2014SQL Server 2014, [SQL Server]SQL Server Setup will configure [SQL Server]SQL Server in the following way.

    • Database EngineDatabase Engine 會以個別服務 SID 的安全性內容執行。The Database EngineDatabase Engine runs with the security context of the per-service SID. 個別服務 SID 會獲得存取 [SQL Server]SQL Server 執行個體的檔案資料夾 (例如 DATA) 和 [SQL Server]SQL Server 登錄機碼的權限。The per-service SID is granted access to the file folders of the [SQL Server]SQL Server instance (such as DATA), and the [SQL Server]SQL Server registry keys.

    • Database EngineDatabase Engine 的個別服務 SID 是在 Database EngineDatabase Engine 中作為 系統管理員 (sysadmin) 固定伺服器角色的成員提供。The per-service SID of the Database EngineDatabase Engine is provisioned in the Database EngineDatabase Engine as a member of the sysadmin fixed server role.

    • 除非 [SQL Server]SQL Server 是容錯移轉叢集執行個體,否則個別服務 SID 會加入至本機 [SQL Server]SQL Server Windows 群組。The per-service SID’s are added to the local [SQL Server]SQL Server Windows groups, unless [SQL Server]SQL Server is a Failover Cluster Instance.

    • [SQL Server]SQL Server 資源仍然會提供至本機 [SQL Server]SQL Server Windows 群組。The [SQL Server]SQL Server resources remain provisioned to the local [SQL Server]SQL Server Windows groups.

    • 服務的本機 Windows 群組已從 SQLServer2005MSSQLUser$<電腦名稱>$<執行個體名稱> 重新命名為 SQLServerMSSQLUser$<電腦名稱>$<執行個體名稱>The local Windows group for services is renamed from SQLServer2005MSSQLUser$<computer_name>$<instance_name> to SQLServerMSSQLUser$<computer_name>$<instance_name>. 移轉之資料庫的檔案位置將會有本機 Windows 群組的存取控制項目 (ACE)。File locations for migrated databases will have Access Control Entries (ACE) for the local Windows groups. 新資料庫的位置將會有個別服務 SID 的 ACE。The file locations for new databases will have ACE’s for the per-service SID.

  • SQL Server 2008SQL Server 2008升級的期間, [SQL Server]SQL Server 安裝程式將會保留 SQL Server 2008SQL Server 2008 個別服務 SID 的 ACE。During upgrade from SQL Server 2008SQL Server 2008, [SQL Server]SQL Server Setup will be preserve the ACE’s for the SQL Server 2008SQL Server 2008 per-service SID.

  • 如果是 [SQL Server]SQL Server 容錯移轉叢集執行個體,則會保留為服務設定之網域帳戶的 ACE。For a [SQL Server]SQL Server Failover Cluster Instance, the ACE for the domain account configured for the service will be retained.

附錄Appendix

本節包含有關 [SQL Server]SQL Server 服務的其他資訊。This section contains additional information about [SQL Server]SQL Server services.

服務帳戶的描述Description of Service Accounts

服務帳戶是用來啟動 Windows 服務 (例如 SQL Server Database EngineSQL Server Database Engine) 的帳戶。The service account is the account used to start a Windows service, such as the SQL Server Database EngineSQL Server Database Engine.

可搭配任何作業系統使用的帳戶Accounts Available With Any Operating System

除了前段所描述新的 MSA虛擬帳戶 之外,以下帳戶都可以使用。In addition to the new MSA and virtual accounts described earlier, the following accounts can be used.

網域使用者帳戶Domain User Account

如果此服務必須與網路服務互動,請存取檔案共用等網域資源。如果它使用執行 [SQL Server]SQL Server之其他電腦的連結的伺服器連接,您可能會使用最低權限的網域帳戶。If the service must interact with network services, access domain resources like file shares or if it uses linked server connections to other computers running [SQL Server]SQL Server, you might use a minimally-privileged domain account. 許多伺服器對伺服器的活動只能以網域使用者帳戶執行。Many server-to-server activities can be performed only with a domain user account. 這個帳戶應該由環境中的網域管理所預先建立。This account should be pre-created by domain administration in your environment.

注意

如果您將應用程式設定為使用網域帳戶,則可以隔離應用程式的權限,不過必須手動管理密碼或建立自訂解決方案來管理這些密碼。If you configure the application to use a domain account, you can isolate the privileges for the application, but must manually manage passwords or create a custom solution for managing these passwords. 許多伺服器應用程式都是使用此策略來增強安全性,不過此策略需要額外的管理和複雜性。Many server applications use this strategy to enhance security, but this strategy requires additional administration and complexity. 在這些部署中,服務管理員會花相當多時間進行維護工作,例如管理 Kerberos 驗證所需的服務密碼和服務主要名稱 (SPN)。In these deployments, service administrators spend a considerable amount of time on maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. 此外,這些維護工作都可能干擾服務。In addition, these maintenance tasks can disrupt service.

Local User AccountsLocal User Accounts

如果電腦不屬於網域的一部分,建議您使用不含 Windows 管理員權限的本機使用者帳戶。If the computer is not part of a domain, a local user account without Windows administrator permissions is recommended.

本機服務帳戶Local Service Account

本機服務帳戶是一個內建帳戶,它對於資源和物件的存取層級與使用者群組的成員相同。The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. 如果個別服務或處理序受到危害時,這種有限的存取權可協助保護系統的安全。This limited access helps safeguard the system if individual services or processes are compromised. 以本機服務帳戶執行的服務是以不含認證的 Null 工作階段來存取網路資源。Services that run as the Local Service account access network resources as a null session without credentials. 請注意,本機服務帳戶不支援 [SQL Server]SQL Server[SQL Server]SQL Server Agent 服務。Be aware that the Local Service account is not supported for the [SQL Server]SQL Server or [SQL Server]SQL Server Agent services. 不支援使用本機服務當做執行這些服務的帳戶,因為它是共用服務而且在本機服務之下執行的任何其他服務將會讓系統管理員存取 [SQL Server]SQL ServerLocal Service is not supported as the account running those services because it is a shared service and any other services running under local service would have system administrator access to [SQL Server]SQL Server. 此帳戶的實際名稱是 NT AUTHORITY\LOCAL SERVICEThe actual name of the account is NT AUTHORITY\LOCAL SERVICE.

網路服務帳戶Network Service Account

網路服務帳戶是一個內建帳戶,它對於資源和物件所擁有的存取權高於使用者群組的成員。The Network Service account is a built-in account that has more access to resources and objects than members of the Users group. 以網路服務帳戶執行的服務,會利用電腦帳戶的認證 (格式為 <網域名稱>\<電腦名稱>$) 存取網路資源。Services that run as the Network Service account access network resources by using the credentials of the computer account in the format <domain_name>\<computer_name>$. 此帳戶的實際名稱是 NT AUTHORITY\NETWORK SERVICEThe actual name of the account is NT AUTHORITY\NETWORK SERVICE.

本機系統帳戶Local System Account

本機系統是權限非常高的內建帳戶。Local System is a very high-privileged built-in account. 它在本機系統上具有延伸的權限,並可當做網路上的電腦運作。It has extensive privileges on the local system and acts as the computer on the network. 此帳戶的實際名稱是 NT AUTHORITY\SYSTEMThe actual name of the account is NT AUTHORITY\SYSTEM.

識別執行個體感知和執行個體非感知服務Identifying Instance-Aware and Instance-Unaware Services

執行個體感知服務會與特定的 [SQL Server]SQL Server執行個體產生關聯,而且會有自己的登錄區。Instance-aware services are associated with a specific instance of [SQL Server]SQL Server, and have their own registry hives. 您可以針對每一個元件或服務執行 [SQL Server]SQL Server 安裝程式,以安裝執行個體感知服務的多個複本。You can install multiple copies of instance-aware services by running [SQL Server]SQL Server Setup for each component or service. 執行個體非感知服務會在所有安裝的 [SQL Server]SQL Server 執行個體之間共用。Instance-unaware services are shared among all installed [SQL Server]SQL Server instances. 它們與特定執行個體沒有關聯,只能安裝一次,且不能並存安裝。They are not associated with a specific instance, are installed only once, and cannot be installed side-by-side.

[SQL Server]SQL Server 中的執行個體感知服務包含以下項目:Instance-aware services in [SQL Server]SQL Server include the following:

  • [SQL Server]SQL Server

  • [SQL Server]SQL Server Agent Agent

    請注意,在 [SQL Server]SQL ServerSQL Server ExpressSQL Server Express with Advanced Services 的執行個體上會停用 SQL Server ExpressSQL Server Express Agent 服務。Be aware that the [SQL Server]SQL Server Agent service is disabled on instances of SQL Server ExpressSQL Server Express and SQL Server ExpressSQL Server Express with Advanced Services.

  • Analysis ServicesAnalysis Services 1 1

  • Reporting ServicesReporting Services

  • 全文檢索搜尋Full-text search

    [SQL Server]SQL Server 中的執行個體非感知服務包含以下項目:Instance-unaware services in [SQL Server]SQL Server include the following:

  • Integration ServicesIntegration Services

  • [SQL Server]SQL Server Browser Browser

  • SQL 寫入器SQL Writer

    1以 SharePoint 整合模式的 analysis Services 當做 'PowerPivot' 執行以單一具名執行個體。1Analysis Services in SharePoint integrated mode runs as 'PowerPivot' as a single, named instance. 執行個體名稱是固定的。The instance name is fixed. 您無法指定不同的名稱。You cannot specify a different name. 在每個實體伺服器上,您只能安裝一個當做 'PowerPivot' 執行的 Analysis Services 執行個體。You can install only one instance of Analysis Services running as 'PowerPivot' on each physical server.

當地語系化服務名稱Localized Service Names

下表將顯示 Windows 當地語系化版本所顯示的服務名稱。The following table shows service names that are displayed by localized versions of Windows.

語言Language 本機服務的名稱Name for Local Service 網路服務的名稱Name for Network Service 本機系統的名稱Name for Local System 管理群組的名稱Name for Admin Group
英文English

簡體中文Simplified Chinese

繁體中文Traditional Chinese

韓文Korean

日文Japanese
NT AUTHORITY\LOCAL SERVICENT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICENT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM BUILTIN\AdministratorsBUILTIN\Administrators
德文German NT-AUTORITÄT\LOKALER DIENSTNT-AUTORITÄT\LOKALER DIENST NT-AUTORITÄT\NETZWERKDIENSTNT-AUTORITÄT\NETZWERKDIENST NT-AUTORITÄT\SYSTEMNT-AUTORITÄT\SYSTEM VORDEFINIERT\AdministratorenVORDEFINIERT\Administratoren
法文French AUTORITE NT\SERVICE LOCALAUTORITE NT\SERVICE LOCAL AUTORITE NT\SERVICE RÉSEAUAUTORITE NT\SERVICE RÉSEAU AUTORITE NT\SYSTEMAUTORITE NT\SYSTEM BUILTIN\AdministratorsBUILTIN\Administrators
義大利文Italian NT AUTHORITY\SERVIZIO LOCALENT AUTHORITY\SERVIZIO LOCALE NT AUTHORITY\SERVIZIO DI RETENT AUTHORITY\SERVIZIO DI RETE NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM BUILTIN\AdministratorsBUILTIN\Administrators
西班牙文Spanish NT AUTHORITY\SERVICIO LOCNT AUTHORITY\SERVICIO LOC NT AUTHORITY\SERVICIO DE REDNT AUTHORITY\SERVICIO DE RED NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM BUILTIN\AdministradoresBUILTIN\Administradores
俄文Russian NT AUTHORITY\LOCAL SERVICENT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICENT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM BUILTIN\АдминистраторыBUILTIN\Администраторы

SQL Server 安裝的安全性考量Security Considerations for a SQL Server Installation

SQL Server 的預設和具名執行個體的檔案位置File Locations for Default and Named Instances of SQL Server

安裝 Master Data ServicesInstall Master Data Services