THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Greg Low (The Bit Bucket: IDisposable)

Ramblings of Greg Low (SQL Server MVP, MCM and Microsoft RD) - SQL Down Under

SQL Server Service won’t start after changing service account - service-specific error %%-2146885628

Published Thursday, May 30, 2013 11:49 AM by Greg Low

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Dan said:

but what was the actual root cause, we can fix lots with local admin, but dare say break a lot of policies in the process

May 29, 2013 8:53 PM
 

Greg Low said:

Too true Dan. This was a case of getting back functioning (no-one else around) until I could get the account updated in the morning. The minimum required for a SQL Server service account is:

Log on as a service (SeServiceLogonRight)

Replace a process-level token (SeAssignPrimaryTokenPrivilege)

Bypass traverse checking (SeChangeNotifyPrivilege)

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Permission to start SQL Server Active Directory Helper

Permission to start SQL Writer

Permission to read the Event Log service

Permission to read the Remote Procedure Call service

May 29, 2013 9:10 PM
 

Dave said:

Helped me on Saturday after MS security updates were installed.  After reboot SQL would not start.

Thanks Mate!

March 24, 2014 1:58 PM
 

Ward said:

Thank you. Solved it by adding NetworkService to local administrator group.

March 18, 2015 10:33 AM
 

Saish said:

Thanks

November 30, 2015 6:40 PM
 

Mahesh said:

Thank you very much, it worked for me.

December 18, 2015 7:47 AM
 

Varun Gautam said:

Thanks !!! It worked for me just by adding NetworkService to the local administrator GROUP.

January 15, 2016 1:56 AM
 

Greg Low said:

That will get you working Varun but note the list above of which permissions you should actually be assigning.

January 15, 2016 4:53 AM
 

JP Mac said:

We're in a situation where we have to remove all accounts from Local Admins except what is absolutely required.  SQL Server can live without, but it takes work.  In my experience with this very scenario, I ran ProcMon on the server where SQL would not start and found exactly which cert file it wanted to access.  I then granted our SQL service domain account Full Control to that file only.  SQL then started successfully.

February 29, 2016 3:46 PM
 

Greg Low said:

Best option is to use the SQL Server Configuration Manager to set the required permissions.

There is a list of what's actually required here: https://msdn.microsoft.com/en-AU/library/ms143504.aspx

February 29, 2016 3:51 PM
 

JP Mac said:

Yes, I know that you should use SSCM when you are CHANGING to a different account or the password because it will set all of the appropriate permissions for SQL to run properly.  However, if you read through that KB, it does not cover the SSL certs that SQL may use.  And we were not changing our accounts or our passwords; we were removing the existing SQL Server service domain account from Local Administrators.  That requires re-permissions all down the line.  So just as an FYI for anyone else who may find themselves in a similar situation...

March 1, 2016 11:11 AM
 

Ellen said:

How can I give SQL Servicedomai accoutn foolowing permission ?

Permission to start SQL Writer

Permission to read the Event Log service

Permission to read the Remote Procedure Call service

I have heard during setu sql will grant but it has not happend since after installed SQl I checke the policy for og on as a service (SeServiceLogonRight)

Replace a process-level token (SeAssignPrimaryTokenPrivilege)

Bypass traverse checking (SeChangeNotifyPrivilege)

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) and the user wasnt there

June 15, 2016 1:26 PM
 

Pandi said:

Perfect! Thanks, It is working here

April 19, 2017 12:26 PM
 

Marc Dammers said:

The next time you are in Vegas, I'll get you a beer. This was my issue as well. After the service started, I removed the service account from the local admin group and instead, gave the service account Full Control over the certificate instead.

August 9, 2017 10:49 PM
 

Andy said:

I was getting the same error message trying to start the service and attempted all of the steps mentioned above and more :) Nothing worked. What worked was very simple. It was these steps:

For SQL Server 2005 and later versions, to enable encryption at the server, open the SQL Server Configuration Manager and do the following:

In SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for <server instance>, and then select Properties.

On the Certificate tab, select the desired certificate from the Certificate drop-down menu, and then click OK.

On the Flags tab, select Yes in the ForceEncryption box, and then click OK to close the dialog box.

Restart the SQL Server service.

You can find more information here: https://support.microsoft.com/en-us/help/316898/how-to-enable-ssl-encryption-for-an-instance-of-sql-server-by-using-mi

Now back to the root cause. I believe my issue was caused by renewing SLL cert and when the old cert dropped and the new one was installed, SQL did not pickup the changes automatically and it was still looking for the old cert.

Hope that helps someone else to solve their issue. :)

August 17, 2017 7:53 AM
 

Rob said:

This just saved my day!

September 18, 2017 2:53 PM

Leave a Comment

(required) 
(required) 
Submit

This Blog

Syndication

Tags

No tags have been created or used yet.

Archives

Privacy Statement