You have often seen the above default service accounts while configuring the SQL Services. Let’s see what the difference between these accounts is.
Local System: Completely trusted account, more than the Administrator account. There is nothing on a single box that this account cannot do and it has the right to access the network as the machine. However local system account might restrict the SQL Server interaction with the other server. The actual name of the account is “NT AUTHORITY\SYSTEM”
Take example of “Lock Pages in Memory“, it will default granted to this account. No need to explicitly specify it.
Network Service: has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account. The actual name of the account is “NT AUTHORITY\NETWORK SERVICE“. This account is far more limited than the Limited than Local System account.
Local Service: A limited service account that is very similar to Network Service and meant to run standard least-privileged services. However unlike Network Service it has no ability to access the network as the machine.
This limited access helps safeguard the system if individual services or processes are compromised.
Services that run as the Local Service account access network resources as a null session without credentials.
The actual name of the account is “NT AUTHORITY\LOCAL SERVICE“. Local Service account is not supported for the SQL Server or SQL Server Agent services.
Hi, so if SQL is running under Local System, what do you put in the local security policy when assigning Lock Pages in Memory? I cannot find NT AUTHORITY\SYSTEM. Should I just use SYSTEM?
You can add Local Service or Network Service