SQL Server installation fails if the Setup account doesn't have certain user rights

Symptoms

Consider the following scenario. To tighten security, you remove some default user rights to the local administrators group on a Windows operating system. In preparation for setting up Microsoft SQL Server on this system, you add the Setup account to the local administrators group.

In this scenario, if you either install or upgrade to Microsoft SQL Server, the installation process may fail, and you receive various error messages as noted in the following sections.

Scenario 1: For a new installation, the Setup program fails, and you receive the following error message:

Access is denied

Additionally, you may notice error messages that resemble the following in the Detail.txt file:

2009-01-02 13:00:17 SQLEngine: --SqlServerServiceSCM: Waiting for nt event 'Global\sqlserverRecComplete$NIIT' to be created

2009-01-02 13:00:20 SQLEngine: --SqlServerServiceSCM: Waiting for nt event 'Global\sqlserverRecComplete$NIIT' or sql process handle to be signaled

2009-01-02 13:00:20 Slp: Configuration action failed for feature SQL_Engine_Core_Inst during timing ConfigRC and scenario ConfigRC.

2009-01-02 13:00:20 Slp: Access is denied

2009-01-02 13:00:20 Slp: Configuration action failed for feature SQL_Engine_Core_Inst during timing ConfigRC and scenario ConfigRC.

2009-01-02 13:00:20 Slp: System.ComponentModel.Win32Exception: Access is denied

2009-01-02 13:00:20 Slp:    at System.Diagnostics.ProcessManager.OpenProcess(Int32 processId, Int32 access, Boolean throwIfExited)

2009-01-02 13:00:20 Slp:    at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)

2009-01-02 13:00:20 Slp:    at System.Diagnostics.Process.OpenProcessHandle()

2009-01-02 13:00:20 Slp:    at System.Diagnostics.Process.get_Handle()

2009-01-02 13:00:20 Slp:    at Microsoft.SqlServer.Configuration.SqlEngine.SqlServerServiceBase.WaitSqlServerStart(Process processSql)

2009-01-02 13:00:20 Slp:    at Microsoft.SqlServer.Configuration.SqlEngine.SqlServerServiceSCM.StartSqlServer(String[] parameters)

2009-01-02 13:00:20 Slp:    at Microsoft.SqlServer.Configuration.SqlEngine.SqlServerStartup.StartSQLServerForInstall(String sqlCollation, String masterFullPath, Boolean isConfiguringTemplateDBs)

2009-01-02 13:00:20 Slp:    at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.ConfigSQLServerSystemDatabases(EffectiveProperties properties, Boolean isConfiguringTemplateDBs, Boolean useInstallInputs)

2009-01-02 13:00:20 Slp:    at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.DoCommonDBStartConfig(ConfigActionTiming timing)

2009-01-02 13:00:20 Slp:    at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.Install(ConfigActionTiming timing, Dictionary`2 actionData, PublicConfigurationBase spcb)

2009-01-02 13:00:20 Slp:    at Microsoft.SqlServer.Configuration.SqlConfigBase.PrivateConfigurationBase.Execute(ConfigActionScenario scenario, ConfigActionTiming timing, Dictionary`2 actionData, PublicConfigurationBase spcbCurrent)

2009-01-02 13:00:20 Slp:    at Microsoft.SqlServer.Configuration.SqlConfigBase.SqlFeatureConfigBase.Execute(ConfigActionScenario scenario, ConfigActionTiming timing, Dictionary`2 actionData, PublicConfigurationBase spcbCurrent)

2009-01-02 13:00:20 Slp:    at Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.ExecuteAction(String actionId)

2009-01-02 13:00:20 Slp:    at Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.Execute(String actionId, TextWriter errorStream)

2009-01-02 13:00:20 Slp: Exception: System.ComponentModel.Win32Exception.

2009-01-02 13:00:20 Slp: Source: System.

2009-01-02 13:00:20 Slp: Message: Access is denied.


Scenario 2
: Upgrades to SQL Server 2008 will report the following error message on the Engine_SqlEngineHealthCheck rule:

Rule name:Engine_SqlEngineHealthCheck
Rule description: Checks whether the SQL Server service can be restarted; or for a clustered instance, whether the SQL Server resource is online.
Result: Failed
Message/Corrective Action: The SQL Server service cannot be restarted; or for a clustered instance, the SQL Server resource is not online

Additionally, you may notice error messages that resemble the following in the Detail.txt file

2009-05-27 17:50:20 SQLEngine: : Checking Engine checkpoint 'GetSqlServerProcessHandle_1'
2009-05-27 17:50:20 SQLEngine: --SqlServerServiceSCM: Waiting for nt event 'Global\sqlserverRecComplete$SQL10' to be created
2009-05-27 17:50:22 SQLEngine: --SqlServerServiceSCM: Waiting for nt event 'Global\sqlserverRecComplete$SQL10' or sql process handle to be signaled
2009-05-27 17:50:22 SQLEngine: --FacetSqlEngineHealthCheck: Engine_SqlEngineHealthCheck: Error: Access is denied

Scenario3: A new installation of Microsoft SQL Server 2012 or Microsoft SQL Server 2008 R2 fails

You see the following error message when you try to install a new instance of SQL Server 2012 or SQL Server 2008 R2:

Rule "Setup account privileges" failed.
The account that is running SQL Server Setup does not have one or all of the following rights: the right to back up files and directories, the right to manage auditing and the security log and the right to debug programs. To continue, use an account with both of these rights.

Scenario 4: Installing SQL Server 2012 or a later instance fails when you specify a network share (UNC path) for the Backup directory location. When this issue occurs, you receive the following error message:

SQL Server setup account does not have the SeSecurityPrivilege privilege on the specified file server in the path <UNC backup location>. This privilege is needed in folder security setting action of SQL Server setup program. To grant this privilege, use the Local Security Policy console on this file server to add SQL Server setup account to "Manage auditing and security log" policy. This setting is available in the "User Rights Assignments" section under Local Policies in the Local Security Policy console.

Note This issue occurs because the SQL Server Setup account doesn’t have SeSecurityPrivilege permissions on the file server that hosts the network share.

Cause

This behavior is by design. In addition to adding the user account that's running Setup as a local administrator, the Setup user account requires the following default user rights for setup to be completed successfully.

Local Policy Object Display NameUser Right
Backup files and directoriesSeBackupPrivilege
Debug ProgramsSeDebugPrivilege
Manage auditing and security logSeSecurityPrivilege

Note For more information about the permissions that are required to install SQL Server, see the "Prerequisites" section of the following MSDN articles:

How to: Install SQL Server 2008 (Setup)

Install SQL Server 2012 from the Installation Wizard (Setup)

Additionally, if SMB Fileshare is used as a storage option for data directory or any other directories (User database directory, user database log directory, TempDB directory, TempDB log directory or backup directory), the following additional permissions are required for the setup account on SMB fileserver as documented in the following MSDN article:

Install SQL Server with SMB Fileshare as a storage option

SMB Network share folder

FULL CONTROL

SQL Setup account

SMB Network share folder

FULL CONTROL

SQL Server and SQL Server Agent Service account

SMB Fileserver

SeSecurityPrivilege

SQL Setup account

Resolution

To add the rights to the local administrator account, follow these steps:

  1. Log on to the computer as a user who has administrative credentials.
  2. Click Start, click Run, type Control admintools, and then click OK.
  3. Double-click Local Security Policy.
  4. In the Local Security Settings dialog box, click Local Policies, double-click User Rights Assignment, and then double-click Backup Files and Directories.
  5. In the Backup Files and Directories Properties dialog box, click Add User or Group.
  6. In the Select User or Groups dialog box, type the user account that is being used for setup, and then click OK two times.
  7. Repeat the procedure for the other two policies that are mentioned in the "Cause" section.
  8. On the File menu, click Exit to close the Local Security Settings dialog box.
More Information

 

  • To check the list of privileges that are currently associated with the account that is used for Setup, you can use the AccessChk.exe tool. To downloaded this tool, visit the following location:

http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

Usageaccesschk.exe - a <setup account> *

For example:

c:\tools\accesschk.exe -a testdc\setupaccount *

Sample output:

       SeSecurityPrivilege
        SeBackupPrivilege
        SeRestorePrivilege
        SeSystemtimePrivilege
        SeShutdownPrivilege
        SeRemoteShutdownPrivilege
        SeTakeOwnershipPrivilege
        SeDebugPrivilege
        SeSystemEnvironmentPrivilege
        SeSystemProfilePrivilege
        SeProfileSingleProcessPrivilege
        SeIncreaseBasePriorityPrivilege
        SeLoadDriverPrivilege
        SeCreatePagefilePrivilege
        SeIncreaseQuotaPrivilege
        SeChangeNotifyPrivilege
        SeUndockPrivilege
        SeManageVolumePrivilege
        SeImpersonatePrivilege
        SeCreateGlobalPrivilege
        SeTimeZonePrivilege
        SeCreateSymbolicLinkPrivilege
        SeInteractiveLogonRight
        SeNetworkLogonRight
        SeBatchLogonRight
        SeRemoteInteractiveLogonRight

This permission is required in order to retrieve ACLs on the default backup directory to make sure that the SQL Server service account has full permissions on the folder. This also sets the ACLs if permissions are missing for the SQL Service account so that it can perform a backup on the directory. Setup performs these checks for the default backup directory so that if backup is performed on the default backup directory post-installation, the user doesn’t encounter an error or issue (because of missing permissions) when you perform backup on the default directory.

Note SeSecurityPrivilege is required in order to change the get/set ACLs from the directories and subfolders. This is the case because even users who have FULL CONTROL permissions on the directories don't have permissions to get/set OWNER and Audit information from the directory.

    • Why does the error that's described in Scenario 4 occur only in SQL Server 2012 and later versions of SQL Server ?

In SQL Server 2012 and later versions, Microsoft started supporting data and log files on the SMB file share. As part of this improvement, the setup experience was further enhanced to tighten the checks so that customers don't encounter errors or issues because of insufficient permission post-installation. In pre-SQL Server 2012 versions, customers can still set up the network share path for the Backup directory when the SQL Service account doesn't have permissions to perform backup. However, they will encounter an error post-installation in this situation. These scenarios are now prevented when you start the SQL 2012 setup check on a network share.

Properties

Article ID: 2000257 - Last Review: 09/21/2016 00:04:00 - Revision: 24.0

Microsoft SQL Server 2008 Developer, Microsoft SQL Server 2008 Enterprise, Microsoft SQL Server 2008 Enterprise Evaluation, Microsoft SQL Server 2008 Standard, Microsoft SQL Server 2008 R2 Developer, Microsoft SQL Server 2008 R2 Datacenter, Microsoft SQL Server 2008 R2 Enterprise, Microsoft SQL Server 2008 R2 Standard, Microsoft SQL Server 2012 Developer, Microsoft SQL Server 2012 Enterprise, Microsoft SQL Server 2012 Standard, Microsoft SQL Server 2014 Business Intelligence, Microsoft SQL Server 2014 Developer, Microsoft SQL Server 2014 Enterprise, Microsoft SQL Server 2014 Enterprise Core, Microsoft SQL Server 2014 Standard, Microsoft SQL Server 2014 Web, Microsoft SQL Server 2016 Developer, Microsoft SQL Server 2016 Enterprise, Microsoft SQL Server 2016 Enterprise Core, Microsoft SQL Server 2016 Standard, Microsoft SQL Server 2016 Web

  • KB2000257
Feedback