Why Service account? | SQL Server Performance Forums

SQL Server Performance Forum – Threads Archive

Why Service account?


For SQL Server and SQL Agent services, I use a domain account. When I revoked the server login of this domain account, the SQL Server and SQL Agent service can still be started? Thanks New DBA
If I understand correctly, you originally created a domain account that you used for the two service accounts in SQL Server, then you revoted the domain account, then when you restarted the services, they were able to restart, even if the acccount was revoked. There are two possibilities that I can think of that could cause this, both temporary. First, if you have more than one Active Directory server in your network, possible not all of them were updated with the revoked account information when you made your test. AD replication sometimes takes a while to work. If this is the case, if you try it the next day, then you should see a failure. Second, Windows caches credentials, and it what may have happened is that the credentials are cached for this account on you SQL Server. At some point these credentials will time out, or if you reboot the SQL Server, the cached credentials will go away. At this point, then the services should not start. —————————–
Brad M. McGehee, SQL Server MVP
For security consideration, we revoke all the server logins except SA and our team group contains 8 people, the domain account SQLServices was not included into the 8 people user group, and it was used to run SQL and SQL Agent services. The team supported over 200 sql hosts, we did totally same things to every servers, just curious, even revoked the SQLServices domain account, SQL and SQL Agent Services worked good past. New DBA
]]>