I had a problem today with Sql Server Express 2005. For whatever
reason, the network service account lost some permissions somewhere
(probably an update; I don't know what it might be) and I could not
start the sql server service. I change the service to use the local
system account and it worked.

Is there any security risk using the local system account versus the
network service account? Why is there even a choice there? What's it
matter?

Thank you for any help.

When you set up the services to run under the context of the local System
account, that means BUILTIN\Administrators will need to be a member of the
sysadmin group for that SQL Server. BUILTIN\Administrators, otherwise known
as local Administrators on that server, are not typically the folks you want
to have full reign to a SQL Server. Included in local Administrators are
Domain Administrators - again, not your typical DBAs.

It is highly recommended that you create a local account to run the services
under, or a domain user account if you need to support replication or
clustering. This account should be assigned through the Enterprise Manager,
not by changing the account directly in the Services applet. That way the
proper permissions and registry settings will be set - probably fixing your
problems. The service account needs full permissions to SQL Server
installation directories and files, backup locations, etc.

Normally an update will not be the reason that permissions are altered.
Applying security templates or group policies, however, are often the
reason. If you have group policies getting pushed to the servers, check
with the AD administrator to ensure the customized SQL Server settings for
this service account are not getting overwritten.

Especially the following:
- Act as Part of the Operating System
- Bypass Traverse Checking
- Lock Pages In Memory
- Log on as a Batch Job
- Log on as a Service
- Replace a Process Level Token

Again, these settings are taken care of if you assign the service via the
Enterprise Manager, but can and often will get overwritten by group
policies.

http://support.microsoft.com/default...;en-us;Q283811

"jm" <needin4mation (AT) gmail (DOT) com> wrote

Hi,

As the Local System Account is only allowed to access resources on the
"localhost" you might get into trouble with (database) replication as it may
need to access other servers. As far as I know the local System Account has
not sufficient rights to access the other server.

Regards,
Frank.

"jm" <needin4mation (AT) gmail (DOT) com> wrote

That is correct - clustering and replication require a domain user account.

"Frank Brouwer" <frank.brouwer_no_spam (AT) trimergo (DOT) com> wrote