What do you do if you need a process running under Local Service to connect to your SQL Server? Most of the advice out there is to change the login account. I actually agree with that, but there are times you can’t, or don’t want to.
There are certainly times when I’ve seen some automated process use one of these accounts:
- NT Authority\Network Service
- NT Authority\Local Server
Often this is because someone doesn’t want to bother to learn how to enable other accounts for their application, which isn’t a good excuse. In my case, I had a local VSTS agent service running as part of a demo, where I had very limited rights. I couldn’t affect a change, and I needed to get a new login for SQL Server.
I searched a bit, but most advice said to just change the account, after all, if you had a process connecting from another machine, Local Service won’t work. However I found one item on Stack Overflow that helped.
Here’s my Login list. As you can see, I have Network Service, but not Local Service.
I the run this code:
CREATE LOGIN [NT AUTHORITY\LOCAL SERVICE] FROM WINDOWS;
This gives me a new login.
In my situation, I then had to add this to the dbcreator role, but I could treat this like any other login and assign the minimum privileges needed.
I had to solve this and decided to write about it. The writing took 10 minutes, the research was 15-20 minutes to find a good reference and experiment a bit.
A good learning exercise, and all of you should know how to do this. Prove it with your own blog.