Some idiosyncrasies in SQL Server service and service user group names

In doing research for the Service SID posting, I encountered some odd things about service names, service user group names and services. I said I'd write about these; this is the followup post.

Most of the information about Windows Services, Service Accounts, and user groups that are created for SQL Server services (for security purposes) is documented in the SQL Server Books Online.This would be: for SQL Server 2005. Replace the SQL.90 portion of the URL with SQL.100, SQL.105, and SQL.110 for SQL Server 2008, 2008 R2, and Denali respectively.

The Service SID always follows the service name, which is usually (but not always) related to the service group name. However there are some idiosyncrasies.

Given a machine name of ZMV08, with a default instance and a named instance called SQLDEV01..
— The browser service user group is always called SQLServer2005SQLBrowserUser$ZMV08
— Reporting service user groups changed in SQL Server 2008 R2
   SQLServerReportServerUser$ZMV08$MSRS10.MSSQLSERVER for SQL Server 2008 default instance
   SQLServerReportServerUser$ZMV08$MSRS10_50.MSSQLSERVER for SQL Server 2008 R2 default instance
   In Denali, its back to SQLServerReportServerUser$ZMV08$MSRS10.MSSQLSERVER, but I bet that changes before RTM.
— The name of the SSIS service changes
   MsDtsServer in SQL Server 2005
   MsDtsServer100 in SQL Server 2008 and SQL Server 2008 R2
   MsDtsServer110 in SQL Server Denali
   Again, the service SID name always reflects the service name
— The name of the SQL Server Active Directory Helper service is similar to the SSIS service
   MSSQLServerADHelper in SQL Server 2005
   MSSQLServerADHelper100 in SQL Server 2008 and R2
   This Service has been removed from SQL Server Denali
— The user group SQLServerFDHostUser$ZMV08$MSSQLSERVER does not contain any users, regardless of the usage or non-usage of Service SIDs
   And, although BOL says otherwise, this name does not appear to be release-dependent,  The name of the service is MSSQLFDLauncher, rather than FDHOST.
— The service user group for SQL Server Active Directory Helper, which DOES use a Service SID, does not contain either the Service SID or the service account user name. Instead, this group contains NT AUTHORITY\NETWORK SERVICE and NT AUTHORITY\SYSTEM.

The point of this whole exercise was to point out that scripts (like a custom PowerShell script, for instance) that use these names may need to take version into account. I hope this helps.


Other articles

Imagine feeling confident enough to handle whatever your database throws at you.

With training and consulting from SQLskills, you’ll be able to solve big problems, elevate your team’s capacity, and take control of your data career.