dave c


I'm trying to do an unattended install of SQL Express 2005 SP2, and specify that the service runs under the Local Service account. Prior versions of SQL Express worked fine.
With SQL Express 2005 SP2, however, the install fails on XP Pro SP2. It *does* work on Winows 2003 Server.
Here's the command line I'm using:
SQLEXPR.EXE /QB ADDLOCAL=ALL INSTANCENAME=FOO SECURITYMODE=SQL SAPWD=BAR SQLACCOUNT="NT AUTHORITY\LOCAL SERVICE"
It fails at the end of the install, saying it can't start the service. If I use "NETWORK SERVICE", it works fine, but that's more privileges than I want the service to have. Is there something else on the command line that I can try to get it to work
Is this even supported
-Dave



Re: SQL Express 2005 SP2 and Local Service account

Jiongxiong Chen


Use the account "NT AUTHORITY\SYSTEM" for local system account.

This account may be localized on localized operating systems. Please double-check it when it is used on localized operating system.






Re: SQL Express 2005 SP2 and Local Service account

dave c

WAIT - I didn't make it clear enough in my initial post.
 
I can get SQL running if I make it admin.  But I don't want it to run as a local admin.  I want it to run with restricted permissions.
  • Local System - has full access to the local machine
  • Network Service - restricted access to local machine, but can use remote resources, using the local machine's credentials.
  • Local Service - restricted access to local machine, can only access remote resources anonymously.
We're installing SQL Express for the user (our product uses it).  In the event that it's compromised, I don't want the service to have any more permissions than it actually needs.
 
Local Service has worked for us in the past -- it's only breaking with SQL Express 2005 SP2 on XP PRO SP2.
 
Has anyone gotten this to work
-Dave





Re: SQL Express 2005 SP2 and Local Service account

Arnie Rowland

'NT Authority\NetworkService' is the second best option.

The best option is to create a specific domain account for SQL Server and SQL Server Agent, and provide those domain accounts JUST the minimum permissions required.

See these resources:

Configuration -Service Accounts, SQL Server 2005 - Setting Up Windows Service Accounts
http://msdn2.microsoft.com/en-us/library/ms143691.aspx
http://msdn2.microsoft.com/en-us/library/ms143504.aspx

Configuration -Service Accounts, SQL Server or SQL Server Agent service account
http://support.microsoft.com/kb/283811/en-us
http://msdn2.microsoft.com/en-us/library/ms143691.aspx

Configuration -Service Accounts,Selecting an Account for the SQL Server Agent Service
http://msdn2.microsoft.com/en-us/library/ms191543.aspx
http://support.microsoft.com/kb/907557






Re: SQL Express 2005 SP2 and Local Service account

dave c

I really need to use LocalService for my application.
I agree that a domain account would be the best choice, but my users won't be able to create a domain account during installation. And your first two links (which are very good) are the ones that suggested LocalService is the next best choice. In fact they specifically recommend NOT using NetworkService.
Here's the kicker -- in experimenting, I've found that I can install as NetworkService (installation works) and then go modify the service to use the LocalService account using the configuration tool. So it seems like LocalService is supported. Remember: prior to SP2 of SQLExpress 2005 it worked, and even the SP2 kit installs correctly on Windows 2003 server. I just can't get it to install on XP SP2.
I'm trying to find out if there's a bug in the SQL 2005 SP2 installer, or if there's something I'm missing in how I'm doing the install.
Has anyone been able to do an unattended install of SQL 2005 SP2 that uses the LocalService account On XP SP2
-Dave




Re: SQL Express 2005 SP2 and Local Service account

dave c

Ok - I found the answer. LocalService is not supported for the SQL Agent service.
According to http://msdn2.microsoft.com/en-us/library/ms191543.aspx SQL Server Agent doesn't support LocalService.
And, according to http://msdn2.microsoft.com/en-us/library/ms143504.aspx SQL Server and SQL Agent should use the same account.
So, if I want a really secure SQL server install, I have to use a Domain User. But since my users can't create domain accounts, I'll simply fallback and take the default install, which uses NetworkService as the service's account.
-Dave