Executed as user : Domain\Account.
The process could not be created for step Step Number of job Unique Job ID (reason: A required privilege is not held by the client). The step failed.
To resolve this error, you should do the following using SQL Server Configuration Manager:
Temporarily change the SQL Agent service account back to default virtual account (Default instance: NT Service\SQLSERVERAGENT. Named instance: NT Service\SQLAGENT$<instance_name>.)
Restart SQL Server Agent Service
Change the service account back to the desired domain account
Restart SQL Server Agent service
For Analysis Services instances that you deploy in a SharePoint farm, always use SharePoint Central Administration to change the server accounts for Power Pivot service applications and the Analysis Services service. Associated settings and permissions are updated to use the new account information when you use Central Administration.
To change Reporting Services options, use the Reporting Services Configuration Tool.
Managed service accounts, group-managed service accounts, and virtual accounts
Managed service accounts, group-managed service accounts, and virtual accounts are designed to provide crucial applications such as SQL Server with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the Service Principal Name (SPN) and credentials for these accounts. These make long-term management of service account users, passwords and SPNs much easier.
Managed service accounts
A managed service account (MSA) is a type of domain account created and managed by the domain controller. It is assigned to a single member computer for use running a service. The password is managed automatically by the domain controller. You can't use an MSA to sign into a computer, but a computer can use an MSA to start a Windows service. An MSA has the ability to register a Service Principal Name (SPN) within Active Directory when given read and write servicePrincipalName permissions. An MSA is named with a $
suffix, for example DOMAIN\ACCOUNTNAME$
. When specifying an MSA, leave the password blank. Because an MSA is assigned to a single computer, it can't be used on different nodes of a Windows cluster.
The MSA must be created in the Active Directory by the domain administrator before SQL Server setup can use it for SQL Server services.
Group-managed service accounts
A group-managed service account (gMSA) is an MSA for multiple servers. Windows manages a service account for services running on a group of servers. Active Directory automatically updates the group-managed service account password without restarting services. You can configure SQL Server services to use a group-managed service account principal. Beginning with SQL Server 2014, SQL Server supports group-managed service accounts for standalone instances, and SQL Server 2016 and later for failover cluster instances, and availability groups.
To use a gMSA for SQL Server 2014 or later, the operating system must be Windows Server 2012 R2 or later. Servers with Windows Server 2012 R2 require KB 2998082 applied so that the services can sign in without disruption immediately after a password change.
For more information, see Group Managed Service Accounts for Windows Server 2016 and later. For previous versions of Windows Server, see Group Managed Service Accounts.
The gMSA must be created in the Active Directory by the domain administrator before SQL Server setup can use it for SQL Server services.
Virtual accounts
Virtual accounts (beginning with Windows Server 2008 R2 and Windows 7) are managed local accounts that provide the following features to simplify service administration. The virtual account is auto-managed, and the virtual account can access the network in a domain environment. If the default value is used for the service accounts during SQL Server setup, a virtual account using the instance name as the service name is used, in the format NT SERVICE\<SERVICENAME>
. Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain_name>\<computer_name>$
. When specifying a virtual account to start SQL Server, leave the password blank. If the virtual account fails to register the Service Principal Name (SPN), register the SPN manually. For more information on registering an SPN manually, see Manual SPN Registration.
Virtual accounts can't be used for SQL Server failover cluster instance, because the virtual account would not have the same SID on each node of the cluster.
The following table lists examples of virtual account names.
Service
Virtual account name
For more information on managed service accounts and virtual accounts, see the Managed service account and virtual account concepts section of Service Accounts Step-by-Step Guide and Managed Service Accounts Frequently Asked Questions (FAQ).
Always run SQL Server services by using the lowest possible user rights. Use a MSA, gMSA or virtual account when possible. When MSA, gMSA and virtual accounts aren't possible, use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Don't grant additional permissions to the SQL Server service account or the service groups. Permissions are granted through group membership or granted directly to a service SID, where a service SID is supported.
Automatic startup
In addition to having user accounts, every service has three possible startup states that users can control:
Disabled. The service is installed but not currently running.
Manual. The service is installed, but starts only when another service or application needs its functionality.
Automatic. The service is automatically started by the operating system.
The startup state is selected during setup. When installing a named instance, the SQL Server Browser service should be set to start automatically.
The following table shows the SQL Server services that can be configured during installation. For unattended installations, you can use the switches in a configuration file or at a command prompt.
SQL Server service name
Switches for unattended installations 1
SQL Server Distributed Replay Controller
DRU_CTLR, CTLRSVCACCOUNT, CTLRSVCPASSWORD, CTLRSTARTUPTYPE, CTLRUSERS
SQL Server Distributed Replay Client
DRU_CLT, CLTSVCACCOUNT, CLTSVCPASSWORD, CLTSTARTUPTYPE, CLTCTLRNAME, CLTWORKINGDIR, CLTRESULTDIR
R Services or Machine Learning Services
EXTSVCACCOUNT, EXTSVCPASSWORD, ADVANCEDANALYTICS 3
PolyBase Engine
PBENGSVCACCOUNT, PBENGSVCPASSWORD, PBENGSVCSTARTUPTYPE, PBDMSSVCACCOUNT, PBDMSSVCPASSWORD, PBDMSSVCSTARTUPTYPE, PBSCALEOUT, PBPORTRANGE
1 For more information and sample syntax for unattended installations, see Install SQL Server from the Command Prompt.
2 The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.
3 Setting the account for Launchpad through the switches alone isn't currently supported. Use SQL Server Configuration Manager to change the account and other service settings.
Firewall port
In most cases, when initially installed, the Database Engine can be connected to by tools such as SQL Server Management Studio installed on the same computer as SQL Server. SQL Server Setup doesn't open ports in the Windows firewall. Connections from other computers may not be possible until the Database Engine is configured to listen on a TCP port, and the appropriate port is opened for connections in the Windows firewall. For more information, see Configure the Windows Firewall to Allow SQL Server Access.
Service permissions
This section describes the permissions that SQL Server Setup configures for the per-service SIDs of the SQL Server services.
Service configuration and access control
Windows privileges and rights
File system permissions granted to SQL Server per-service SIDs or SQL Server local Windows groups
File system permissions granted to other Windows user accounts or groups
File system permissions related to unusual disk locations
Reviewing additional considerations
Registry permissions
Named pipes
Service configuration and access control
SQL Server enables per-service SID for each of its services to provide service isolation and defense in depth. The per-service SID is derived from the service name and is unique to that service. For example, a service SID name for a named instance of the Database Engine service might be NT Service\MSSQL$<instance_name>
. Service isolation enables access to specific objects without the need to run a high-privilege account or weaken the security protection of the object. By using an access control entry that contains a service SID, a SQL Server service can restrict access to its resources.
On Windows 7 and Windows Server 2008 R2 (and later), the per-service SID can be the virtual account used by the service.
For most components SQL Server configures the ACL for the per-service account directly, so changing the service account can be done without having to repeat the resource ACL process.
When installing SSAS, a per-service SID for the Analysis Services service is created. A local Windows group is created, named in the format SQLServerMSASUser$<computer_name>$<instance_name>
. The per-service SID NT SERVICE\MSSQLServerOLAPService
is granted membership in the local Windows group, and the local Windows group is granted the appropriate permissions in the ACL. If the account used to start the Analysis Services service is changed, SQL Server Configuration Manager must change some Windows permissions (such as the right to log on as a service), but the permissions assigned to the local Windows group is still available without any updating, because the per-service SID hasn't changed. This method allows the Analysis Services service to be renamed during upgrades.
During SQL Server installation, SQL Server Setup creates a local Windows group for SSAS and the SQL Server Browser service. For these services, SQL Server configures the ACL for the local Windows groups.
Depending on the service configuration, the service account for a service or service SID is added as a member of the service group during install or upgrade.
Windows privileges and rights
The account assigned to start a service needs the Start, stop and pause permission for the service. The SQL Server Setup program automatically assigns this. First install Remote Server Administration Tools (RSAT). See Remote Server Administration Tools for Windows 10.
The following table shows permissions that SQL Server Setup requests for the per-service SIDs or local Windows groups used by SQL Server components.
SQL Server Service
Permissions granted by SQL Server Setup
SQL Server Database Engine:
(All rights are granted to the per-service SID. Default instance: NT SERVICE\MSSQLSERVER
. Named instance: NT Service\MSSQL$<instance_name>
.)
Log on as a service (SeServiceLogonRight)
Replace a process-level token (SeAssignPrimaryTokenPrivilege)
Bypass traverse checking (SeChangeNotifyPrivilege)
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
Permission to start SQL Writer
Permission to read the Event Log service
Permission to read the Remote Procedure Call service
SQL Server Agent: 1
(All rights are granted to the per-service SID. Default instance: NT Service\SQLSERVERAGENT
. Named instance: NT Service\SQLAGENT$<instance_name>
.)
Log on as a service (SeServiceLogonRight)
Replace a process-level token (SeAssignPrimaryTokenPrivilege)
Bypass traverse checking (SeChangeNotifyPrivilege)
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
SSAS:
(All rights are granted to a local Windows group. Default instance: SQLServerMSASUser$<computer_name>$MSSQLSERVER
. Named instance: SQLServerMSASUser$<computer_name>$<instance_name>
. Power Pivot for SharePoint instance: SQLServerMSASUser$<computer_name>$PowerPivot
.)
Log on as a service (SeServiceLogonRight)
For tabular only:
Increase a process working set (SeIncreaseWorkingSetPrivilege)
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
Lock pages in memory (SeLockMemoryPrivilege) - this is needed only when paging is turned off entirely.
For failover cluster installations only:
Increase scheduling priority (SeIncreaseBasePriorityPrivilege)
SSRS:
(All rights are granted to the per-service SID. Default instance: NT SERVICE\ReportServer
. Named instance: NT SERVICE\ReportServer$<instance_name>
.)
Log on as a service (SeServiceLogonRight)
SSIS:
(All rights are granted to the per-service SID. Default instance and named instance: NT SERVICE\MsDtsServer150
. Integration Services doesn't have a separate process for a named instance.)
Log on as a service (SeServiceLogonRight)
Permission to write to application event log.
Bypass traverse checking (SeChangeNotifyPrivilege)
Impersonate a client after authentication (SeImpersonatePrivilege)
Full-text search:
(All rights are granted to the per-service SID. Default instance: NT Service\MSSQLFDLauncher
. Named instance: NT Service\ MSSQLFDLauncher$<instance_name>
.)
Log on as a service (SeServiceLogonRight)
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
Bypass traverse checking (SeChangeNotifyPrivilege)
SQL Server Browser:
(All rights are granted to a local Windows group. Default or named instance: SQLServer2005SQLBrowserUser$<computer_name>
. SQL Server Browser doesn't have a separate process for a named instance.)
Log on as a service (SeServiceLogonRight)
SQL Server VSS Writer:
(All rights are granted to the per-service SID. Default or named instance: NT Service\SQLWriter
. SQL Server VSS Writer doesn't have a separate process for a named instance.)
The SQLWriter service runs under the LOCAL SYSTEM account that has all the required permissions. SQL Server setup doesn't check or grant permissions for this service.
SQL Server Distributed Replay Controller:
Log on as a service (SeServiceLogonRight)
SQL Server Distributed Replay Client:
Log on as a service (SeServiceLogonRight)
PolyBase Engine and DMS:
Log on as a service (SeServiceLogonRight)
Launchpad:
Log on as a service (SeServiceLogonRight)
Replace a process-level token (SeAssignPrimaryTokenPrivilege)
Bypass traverse checking (SeChangeNotifyPrivilege)
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
R Services/Machine Learning Services: SQLRUserGroup (SQL Server 2016 (13.x) and SQL Server 2017 (14.x))
doesn't have the Allow Log on locally permission by default
Machine Learning Services: 'All Application Packages' [AppContainer] (SQL Server 2019 (15.x))
Read and execute permissions to the SQL Server 'Binn', R_Services, and PYTHON_Services directories
1 The SQL Server Agent service is disabled on instances of SQL Server Express.
File system permissions granted to SQL Server per-service SIDs or local Windows groups
SQL Server service accounts must have access to resources. Access control lists are set for the per-service SID or the local Windows group.
Important
For failover cluster installations, resources on shared disks must be set to an ACL for a local account.
The following table shows the ACLs that are set by SQL Server Setup:
Service account for
Files and folders
Access
SQL Server Distributed Replay Controller
<ToolsDir>\DReplayController\Log\ (empty directory)
Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\DReplayController.exe
Read, Execute, List Folder Contents
<ToolsDir>\DReplayController\resources|Read, Execute, List Folder Contents
1 The SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.
When database files are stored in a user-defined location, you must grant the per-service SID access to that location. For more information about granting file system permissions to a per-service SID, see Configure File System Permissions for Database Engine Access.
File system permissions granted to other Windows user accounts or groups
Some access control permissions might have to be granted to built-in accounts or other SQL Server service accounts. The following table lists additional ACLs that are set by SQL Server Setup.
Requesting component
Account
Resource
Permissions
Reporting Services
Report Server Windows Service Account
<install>\Reporting Services\LogFiles
DELETE
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Report Server Windows Service Account
<install>\Reporting Services\ReportServer
Report Server Windows Service Account
<install>\Reporting Services\ReportServer\global.asax
Report Server Windows Service Account
<install>\Reporting Services\RSWebApp
Read, Execute
Everyone
<install>\Reporting Services\ReportServer\global.asax
READ_CONTROL
FILE_READ_DATA
FILE_READ_EA
FILE_READ_ATTRIBUTES
ReportServer Windows Services Account
<install>\Reporting Services\ReportServer\rsreportserver.config
DELETE
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Everyone
Report Server keys (Instid hive)
Query Value
Enumerate SubKeys
Notify
Read Control
Terminal Services User
Report Server keys (Instid hive)
Query Value
Set Value
Create SubKey
Enumerate SubKey
Notify
Delete
Read Control
Power Users
Report Server keys (Instid hive)
Query Value
Set Value
Create Subkey
Enumerate Subkeys
Notify
Delete
Read Control
1 This is the WMI provider namespace.
File system permissions related to unusual disk locations
The default drive for locations for installation is system drive, normally drive C. This section describes additional considerations when tempdb or user databases are installed to unusual locations.
Non-default drive
When installed to a local drive that isn't the default drive, the per-service SID must have access to the file location. SQL Server Setup provisions the required access.
Network share
When databases are installed to a network share, the service account must have access to the file location of the user and tempdb
databases. SQL Server Setup can't provision access to a network share. The user must provision access to a tempdb location for the service account before running setup. The user must provision access to the user database location before creating the database.
Virtual accounts can't be authenticated to a remote location. All virtual accounts use the permission of machine account. Provision the machine account in the format <domain_name>\<computer_name>$
.
Review additional considerations
The following table shows the permissions that are required for SQL Server services to provide additional functionality.
Service/Application
Functionality
Required permission
SQL Server (MSSQLSERVER)
Write to a mail slot using xp_sendmail.
Network write permissions.
SQL Server (MSSQLSERVER)
Run xp_cmdshell for a user other than a SQL Server administrator.
Act as part of operating system and replace a process-level token.
SQL Server Agent (MSSQLSERVER)
Use the auto restart feature.
Must be a member of the Administrators local group.
Database Engine Tuning Advisor
Tunes databases for optimal query performance.
On first use, a user who has system administrative credentials must initialize the application. After initialization, dbo users can use the Database Engine Tuning Advisor to tune only those tables that they own. For more information, see Start and use the Database Engine Tuning Advisor.
Important
Before you upgrade SQL Server, enable SQL Server Agent and verify the required default configuration: that the SQL Server Agent service account is a member of the SQL Server sysadmin fixed server role.
Registry permissions
The registry hive is created under HKLM\Software\Microsoft\Microsoft SQL Server\<Instance_ID>
for instance-aware components. For example:
HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL15.MyInstance
HKLM\Software\Microsoft\Microsoft SQL Server\MSASSQL15.MyInstance
HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL.150
The registry also maintains a mapping of instance ID to instance name. Instance ID to instance name mapping is maintained as follows:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Names\SQL] "InstanceName"="MSSQL15"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Names\OLAP] "InstanceName"="MSASSQL15"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Names\RS] "InstanceName"="MSRSSQL15"
Windows Management Instrumentation (WMI) must be able to connect to the Database Engine. To support this, the per-service SID of the Windows WMI provider (NT SERVICE\winmgmt
) is provisioned in the Database Engine.
The SQL WMI provider requires the following minimal permissions:
Membership in the db_ddladmin or db_owner fixed database roles in the msdb
database.
CREATE DDL EVENT NOTIFICATION permission in the server.
CREATE TRACE EVENT NOTIFICATION permission in the Database Engine.
VIEW ANY DATABASE server-level permission.
SQL Server setup creates a SQL WMI namespace and grants read permission to the SQL Server Agent service-SID.
Named pipes
In all installation, SQL Server Setup provides access to the SQL Server Database Engine through the shared memory protocol, which is a local named pipe.
Provisioning
This section describes how accounts are provisioned inside the various SQL Server components.
Database Engine provisioning
Windows principals
SA account
SQL Server per-service SID login and privileges
SQL Server Agent login and privileges
HADRON and SQL failover cluster instance and privileges
SQL Writer and privileges
SQL WMI and privileges
SSAS provisioning
SSRS provisioning
Database Engine provisioning
The following accounts are added as logins in the SQL Server Database Engine.
Windows principals
During setup, SQL Server Setup requires at least one user account to be named as a member of the sysadmin fixed server role.
SA account
The sa account is always present as a Database Engine login and is a member of the sysadmin fixed server role. When the Database Engine is installed using only Windows Authentication (that is when SQL Server Authentication isn't enabled), the sa login is still present but is disabled and the password is complex and random. For information about enabling the sa account, see Change Server Authentication Mode.
SQL Server per-service SID login and privileges
The per-service SID (sometimes also called service security principal (SID)) of the SQL Server service is provisioned as a Database Engine login. The per-service SID login is a member of the sysadmin fixed server role. For information about per-service SID, see Using Service SIDs to grant permissions to services in SQL Server.
SQL Server Agent login and privileges
The per-service SID of the SQL Server Agent service is provisioned as a Database Engine login. The per-service SID login is a member of the sysadmin fixed server role.
Always On availability groups and SQL failover cluster instance and privileges
When installing the Database Engine as a Always On availability groups or SQL failover cluster instance (SQL FCI), LOCAL SYSTEM is provisioned in the Database Engine. The LOCAL SYSTEM login is granted the ALTER ANY AVAILABILITY GROUP permission (for Always On availability groups) and the VIEW SERVER STATE permission (for SQL FCI).
SQL Writer and privileges
The per-service SID of the SQL Server VSS Writer service is provisioned as a Database Engine login. The per-service SID login is a member of the sysadmin fixed server role.
SQL WMI and privileges
SQL Server Set up provisions the NT SERVICE\Winmgmt
account as a Database Engine login and adds it to the sysadmin fixed server role.
SSRS provisioning
The account specified during setup is provisioned as a member of the RSExecRole database role. For more information, see Configure the Report Server Service Account (SSRS Configuration Manager).
SSAS provisioning
SSAS service account requirements vary depending on how you deploy the server. If you're installing Power Pivot for SharePoint, SQL Server Setup requires that you configure the Analysis Services service to run under a domain account. Domain accounts are required to support the managed account facility that is built into SharePoint. For this reason, SQL Server Setup doesn't provide a default service account, such as a virtual account, for a Power Pivot for SharePoint installation. For more information about provisioning Power Pivot for SharePoint, see Configure Power Pivot Service Accounts.
For all other standalone SSAS installations, you can provision the service to run under a domain account, built-in system account, managed account, or virtual account. For more information about account provisioning, see Configure Service Accounts (Analysis Services).
For clustered installations, you must specify a domain account or a built-in system account. Neither managed accounts nor virtual accounts are supported for SSAS failover clusters.
All SSAS installations require that you specify a system administrator of the Analysis Services instance. Administrator privileges are provisioned in the Analysis Services Server role.
SSRS provisioning
The account specified during setup is provisioned in the Database Engine as a member of the RSExecRole database role. For more information, see Configure the Report Server Service Account (SSRS Configuration Manager).
Upgrade from previous versions
This section describes the changes made during upgrade from a previous version of SQL Server.
SQL Server 2019 (15.x) requires a supported operating system. Any previous version of SQL Server running on a lower operating system version must have the operating system upgraded before upgrading SQL Server.
During upgrade of SQL Server 2005 (9.x) to SQL Server 2019 (15.x) setup configures the SQL Server instance in the following way:
The Database Engine runs with the security context of the per-service SID. The per-service SID is granted access to the file folders of the SQL Server instance (such as DATA), and the SQL Server registry keys.
The per-service SID of the Database Engine is provisioned in the Database Engine as a member of the sysadmin fixed server role.
The per-service SIDs are added to the local SQL Server Windows groups, unless SQL Server is a failover cluster instance.
The SQL Server resources remain provisioned to the local SQL Server Windows groups.
The local Windows group for services is renamed from SQLServer2005MSSQLUser$<computer_name>$<instance_name>
to SQLServerMSSQLUser$<computer_name>$<instance_name>
. File locations for migrated databases has Access Control Entries (ACE) for the local Windows groups. The file locations for new databases has ACEs for the per-service SID.
During upgrade from SQL Server 2008 (10.0.x), SQL Server Setup preserves the ACEs for the SQL Server 2008 (10.0.x) per-service SID.
For a SQL Server failover cluster instance, the ACE for the domain account configured for the service are retained.
Appendix
This section contains additional information about SQL Server services.
Description of service Accounts
Identifying instance-aware and instance-unaware services
Localized service names
Description of service accounts
The service account is the account used to start a Windows service, such as the SQL Server Database Engine. For running SQL Server, it isn't required to add the Service Account as a Login to SQL Server in addition to the Service SID, which is always present and a member of the sysamin fixed server role.
Accounts available with any operating system
In addition to the new MSA, gMSA and virtual accounts described earlier, the following accounts can be used.
Domain user account
If the service must interact with network services, access domain resources like file shares or if it uses linked server connections to other computers running SQL Server, you might use a minimally-privileged domain account. Many server-to-server activities can be performed only with a domain user account. This account should be pre-created by domain administration in your environment.
If you configure the SQL Server to use a domain account, you can isolate the privileges for the Service, but must manually manage passwords or create a custom solution for managing these passwords. Many server applications use this strategy to enhance security, but this strategy requires additional administration and complexity. In these deployments, service administrators spend a considerable amount of time on maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service.
Local user accounts
If the computer isn't part of a domain, a local user account without Windows administrator permissions is recommended.
Local Service account
The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the local service account access network resources as a null session without credentials.
The local service account isn't supported for the SQL Server or SQL Server Agent services. Local Service isn't supported as the account running those services because it is a shared service and any other services running under local service would have system administrator access to SQL Server.
The actual name of the account is NT AUTHORITY\LOCAL SERVICE
.
Network Service account
The Network Service account is a built-in account that has more access to resources and objects than members of the Users group. Services that run as the network service account access network resources by using the credentials of the computer account in the format <domain_name>\<computer_name>$
. The actual name of the account is NT AUTHORITY\NETWORK SERVICE
.
Local System account
Local System is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. The actual name of the account is NT AUTHORITY\SYSTEM.
Identify instance-aware and instance-unaware services
Instance-aware services are associated with a specific instance of SQL Server, and have their own registry hives. You can install multiple copies of instance-aware services by running SQL Server Setup for each component or service. Instance-unaware services are shared among all installed SQL Server instances. They aren't associated with a specific instance, are installed only once, and can't be installed side by side.
Instance-aware services in SQL Server include the following:
SQL Server
SQL Server Agent
Be aware that the SQL Server Agent service is disabled on instances of SQL Server Express and SQL Server Express with Advanced Services.
Analysis Services
Analysis Services in SharePoint integrated mode runs as 'Power Pivot' as a single, named instance. The instance name is fixed. You can't specify a different name. You can install only one instance of Analysis Services running as 'Power Pivot' on each physical server.
Reporting Services
Full-text search
Instance-unaware services in SQL Server include the following:
Integration Services
SQL Server Browser
SQL Writer
Localized service names
The following table shows service names that are displayed by localized versions of Windows.
Language
Name for Local Service
Name for Network Service
Name for Local System
Name for Admin Group
English
Simplified Chinese
Traditional Chinese
Korean
Japanese
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
BUILTIN\Administrators
German
NT-AUTORITÄT\LOKALER DIENST
NT-AUTORITÄT\NETZWERKDIENST
NT-AUTORITÄT\SYSTEM
VORDEFINIERT\Administratoren
French
AUTORITE NT\SERVICE LOCAL
AUTORITE NT\SERVICE RÉSEAU
AUTORITE NT\SYSTEM
BUILTIN\Administrators
Italian
NT AUTHORITY\SERVIZIO LOCALE
NT AUTHORITY\SERVIZIO DI RETE
NT AUTHORITY\SYSTEM
BUILTIN\Administrators
Spanish
NT AUTHORITY\SERVICIO LOC
NT AUTHORITY\SERVICIO DE RED
NT AUTHORITY\SYSTEM
BUILTIN\Administradores
Russian
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\СИСТЕМА
BUILTIN\Администраторы
Next steps
Security Considerations for a SQL Server Installation
File Locations for Default and Named Instances of SQL Server
Install Master Data Services