Nov 2023 Discount: Comprehensive Database Performance Health Check | Testimonials

SQL SERVER – Unable to Start SQL When Service Account is Removed From Local Administrators Group. Why?

Pinal Dave
SQL
1 Comment

One of my clients wanted to secure their SQL Server. One of the rules was that wanted to avoid running SQL Server service with an account which is part of local “Administrators” group. They wanted to provide the minimal permissions needed for the SQL server service account for SQL Server to function.

Below are the respective articles for each version that outline the permissions assigned to the service accounts:

Configure Windows Service Accounts and Permissions (SQL Server 2016 and later)
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions

Configure Windows Service Accounts and Permissions (SQL Server 2014)
https://msdn.microsoft.com/en-US/library/ms143504(SQL.120).aspx#Windows

Configure Windows Service Accounts and Permissions (SQL Server 2012)
https://msdn.microsoft.com/en-US/library/ms143504(SQL.110).aspx#Windows

Setting Up Windows Service Accounts (SQL Server 2008 R2)
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.105).aspx#Review_NT_rights

Setting Up Windows Service Accounts (SQL Server 2008)
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.100).aspx#Review_NT_rights

Setting Up Windows Service Accounts (SQL Server 2005)
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.90).aspx#Review_NT_rights

When I spoke to my client, they already removed service account from the Administrators group. As per article, we have permissions in security policy, but still we were not able to start SQL Service. By looking further into the Event Viewer, under Application Log we see the error :

“initerrlog: Could not open error log file ”. Operating system error = 3(The system cannot find the path specified.)”.

SQL SERVER – Event 17058 – initerrlog: Could not Open Error Log File

If we provide incorrect path, we generally see below message.

initerrlog: Could not open error log file ‘C:\BadPath\Errorlog.txt’. Operating system error = 3(The system cannot find the path specified.).”

Notice the blank path in an error message.  Later, we used one of my favorite tools called as Process Monitor and ran the tool to look for registry read activity. We knew that the service was queried for the for the start-up parameters which are saved in the registry and we wanted to check how it does it. We saw we were getting Access Denied for the Account: Americas\SAPPROD_SQLSvc on the registry hive:

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQLServer\Parameters

Seeing that, we went to the registry hive and checked if the service account had permission and found that the user did not have permission, we also saw that the there was a group, SQLServerMSSQLUser$MPNA01$MSSQLSERVER

WORKAORUND/SOLUTION

We were able to fix the issue by adding Service Account Americas\SAPPROD_SQLSvc to the group SQLServerMSSQLUser$MPNA01$MSSQLSERVER

Reference: Pinal Dave (https://blog.sqlauthority.com)

SQL Error Messages, SQL Log, SQL Server, SQL Server Services
Previous Post
SQL SERVER – An Error Occurred While Obtaining the Dedicated Administrator Connection (DAC) Port
Next Post
SQL SERVER – Setup Rule: Microsoft .NET Application Security. The computer cannot access the Internet

Related Posts

1 Comment. Leave new

  • Ram
    July 12, 2017 4:18 pm

    Hello Sir,

    All the time you bring new content which is really very very helpful. it really motivates to youth to start their own startup without depending on their boss or parents if it comes to me i’ll give my entire credit to you.

    Few Days before i have desgined a site after Knowing about wordpress and according to me it’s even looks quite professonal in compare to my competitors. But its running slow in compare to them can you please suggest me a good hosting and a suitable platform.

    Thanks a’lot sir
    Bye

    Reply

Leave a ReplyCancel reply

Pinal Dave is an SQL Server Performance Tuning Expert and independent consultant with over 22 years of hands-on experience. He holds a Masters of Science degree and numerous database certifications.

Pinal has authored 13 SQL Server database books and 56 Pluralsight courses. To freely share his knowledge and help others build their expertise, Pinal has also written more than 5,700 database tech articles on his blog at https://blog.sqlauthority.com.

Pinal is an experienced and dedicated professional with a deep commitment to flawless customer service. If you need help with any SQL Server Performance Tuning Issues, please feel free to reach out at pinal@sqlauthority.com.

Pinal is also a CrossFit Level 1 Trainer (CF-L1) and CrossFit Level 2 Trainer (CF-L2).

Nupur Dave is a social media enthusiast and an independent consultant. She primarily focuses on the database domain, helping clients build short and long-term multi-channel campaigns to drive leads for their sales pipeline.

Is your SQL Server running slow and you want to speed it up without sharing server credentials? In my Comprehensive Database Performance Health Check, we can work together remotely and resolve your biggest performance troublemakers in less than 4 hours.

Once you learn my business secrets, you will fix the majority of problems in the future.

Have you ever opened any PowerPoint deck when you face SQL Server Performance Tuning emergencies? SQL Server Performance Tuning Practical Workshop is my MOST popular training with no PowerPoint presentations and 100% practical demonstrations.

Essentially I share my business secrets to optimize SQL Server performance.

Exit mobile version