Service configuration options
What is it?
The SQL Agent service can run under two different account types, and the choice you make affects the agent's security boundary, network access, and performance:
- Local System Account (recommended) — The agent has all of the system-level privileges it needs without extra configuration. Manage access to UNC paths and shared drives through the user account that runs the job and through startup scripts defined in the SQLAgent.ini file.
- Windows Domain User — Choose this only when site policy or specific network access requirements rule out Local System.
In Local System mode, select a Windows User account from your network for the Windows User ID in the job definition in Solution Manager.
For information on configuring mapped network drives in the SQLAgent.ini file, see Using the InitializationScript and TerminationScript. For information on adding a batch user for SQL, refer to Adding a Batch User for SQL in the OpCon online help.
Run the SQL Agent as the Local System Account
The Local System Account must have the following advanced Windows privileges:
- Act as part of the operating system
- Adjust memory quotas for a process
- Log on as a service
- Log on as a batch job
- Replace a process-level token
Configure the SQL Agent to run as a Local System Account
To configure the SQL Agent to run as a Local System Account, complete the following steps:
- Go to Start > Control Panel > Administrative Tools > Services.
- Select the SQL Agent service from the Services list. The Properties dialog displays.
- If not selected already, select Automatic (Delayed Start) from the Startup Type list.
- Select the Log On tab.
- Select the Local System account option.
- Select OK.
- Close the Services window.
Run the SQL Agent as a Windows Domain User
SMA Technologies strongly recommends running the agent as the Local System Account. Use a Domain User only when your environment requires it.
The domain user must have:
- Membership in the local Administrators group.
- The following advanced Windows privileges:
- Act as part of the operating system
- Adjust memory quotas for a process
- Log on as a service
- Log on as a batch job
- Replace a process-level token
The domain user must have signed in to this machine at least once before you start the service. The initial sign-in creates the Windows user profile that the SQL Agent needs in order to run as a Domain User.
Contact your domain administrator to acquire the required privileges.
Add advanced Windows privileges
To add the required advanced Windows privileges, complete the following steps:
- Go to Start > Control Panel > Administrative Tools > Local Security Policy.
- Under Security Settings, select Local Policies > User Rights Assignment.
- For each privilege in the list above, select the privilege and select Add User Or Group.
- In the Select Users Or Groups dialog, select Locations and choose the machine or domain depending on whether you are adding a local user or a domain user.
- In the object name field, enter the name of the user. To add the Local System Account, choose the current machine and enter
SYSTEM. - Repeat steps 3 through 5 for each privilege.
Configure the SQL Agent to run as a Domain User
To configure the SQL Agent to run as a Domain User, complete the following steps:
- Go to Start > Control Panel > Administrative Tools > Services.
- Select the SQL Agent service from the Services list. The Properties dialog displays.
- If not selected already, select Automatic (Delayed Start) from the Startup Type list.
- Select the Log On tab.
- Select the This account option.
- Select Browse to find the domain user.
- Select the domain user.
- Select OK.
- In the Password field, enter the password.
- In the Confirm Password field, re-enter the password.
- Select OK.
- Close the Services window.
Related topics
- Manage the SQL Agent service — Start and stop the service after changing the logon account.
- InitializationScript and TerminationScript — Map network drives the agent needs in either logon mode.
- SQLAgent.ini file configuration