Changing Service Account & Service Account Password

I recently botched an answer about why one should use SQL Configuration Manager (SQLCM) over Service Control Manager (SCM) to change service accounts and/or service account passwords for SQL Server. Let me attempt to redeem myself.

If your running SQL Server 2008 or later and your running on Windows Vista or later (Win7 or Win2K8) all resources (Folders, Files, Reg Keys, etc) are ACL’d using the Service SID. Therefore, regardless of the account the service is running as it will always have access to the necessary resources. SQLCM, however, does a bit of magic under the covers when you change the password on a service account to avoid a service restart. There was a bug in SQLCM that blocked this behavior but it was fixed in a CU (SQL Server 2008 R2 CU 4 to be exact) and here’s the KB Article on the fix.

If you’re running on SQL Server 2005 or running on earlier versions of the OS (pre Vista; WinXP & Win2K3) ACLing is done via groups and the group membership is maintained through SQLCM. Therefore, changing the Service Account through SCM won’t update the group membership and you’ll run in to permission issues.

I hope this clarifies the difference between using SQLCM and SCM. And if I’ve botched it for a second time, I prefer my crow medium-well.

Comments

  • Anonymous
    December 15, 2010
    Thanks for the clarification. As far as Service SID, I wasn't aware this feature was added to Windows 2008/Vista OS or higher and had to look up the details. This post was helpful in explaining how per-Service SID's work blogs.technet.com/.../ws2008-windows-service-hardening.aspx

  • Anonymous
    January 07, 2011
    Your article is plainly explaining your answer in the forum.Thanks