Hi,
Basically this question was prompted by a new installation of SQL 2012; the Reporting Services - Native component failed. During the install, at SqlRSConfigAction_Install_Startup_Cpu64 I got an 'Attempted to Peform an unauthorized operation'. I was using a domain account, and when that account was added to the local admin group, the installation worked.
I then started to look into permissions. My understanding is with a SQL 2012 standalone installation, only SQL Server Browser, SSAS and PowerPivot for SharePoint have local windows groups; the others use per-service SIDs. Inhttp://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx, it states : "Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported." (I'm used to the groups being created).
Looking in gpedit.msc, for 'Replace a process-level token', I can see 'NT SERVICE\MSSQLSERVER' and 'NT Service\SQLSERVERAGENT', which I believe is the service SID (the domain account is not listed).
Therefore my understanding is permission is not granted through the domain account, ie. n123456, but through the per-service SIDs, ie. 'NT SERVICE\MSSQLSERVER'. Is this correct?
For example, for some reason 'NT SERVICE\ReportServer' was not added to 'Log on as a service' (whereas all of the other SQL service SID's and local groups were) which maybe explains my issue (but then I don't know why adding the domain account, n123456 to local administrators worked).
I can also see 'NT SERVICE\MSSQLSERVER' and 'NT Service\SQLSERVERAGENT' added to 'Replace a process-level token', but not 'NT SERVICE\MsDtsServer110' (for SSIS) which has also been installed. I'm not sure if there will be an issue with SSIS.
If anyone has reference to any more information as this please let me know. For example, I assume I can't assign these User rights to n123456 (which the DBAs did in the past), it's the SID that needs the access. Therefore I'm confused why certain per-service SIDs are not being granted certain rights (ie. User rights in gpedit.msc), why adding the domain account to n123456 to local admin fixed the Reporting services installation failure, and what permissions are granted to the domain account, and what is granted to the per-service SIDs (ie. I see the domain account n123456 has also been added into 'Log on as a service' along with the other service SIDs).
Sorry for the confusion.
Regards,
Tony