Check the SQL Server Service Account
Identify which account SQL Server runs under
Before granting any permissions, you need to identify which Windows account the SQL Server service uses. This is the account that needs access to your backup file.
- Press
Win + Rto open the Run dialog - Type
services.mscand press Enter - Find SQL Server (MSSQLSERVER) for default instance, or SQL Server (YourInstanceName) for named instances
- Right-click on it and select Properties
- Open the Log On tab
- Note the account type shown
You will see one of the following account types:
Move your .bak file to C:\QBMBackups\ before granting permissions. This keeps backup files organized and makes permission management easier.
If Log On is "Local System Account"
Grant permissions to the SYSTEM account
SYSTEM (NT AUTHORITY\SYSTEM)
- Right-click on
C:\QBMBackupsfolder → Properties - Go to Security tab → Click Edit
- Click Add → Type
SYSTEM - Click Check Names → Click OK
- Select Full Control → Click Apply
icacls "C:\QBMBackups" /grant "NT AUTHORITY\SYSTEM:(OI)(CI)F"
If Log On is "Network Service"
Grant permissions to the Network Service account
NT AUTHORITY\NETWORK SERVICE
- Right-click on
C:\QBMBackupsfolder → Properties - Go to Security tab → Click Edit
- Click Add → Type
NETWORK SERVICE - Click Check Names → Click OK
- Select Full Control → Click Apply
icacls "C:\QBMBackups" /grant "NT AUTHORITY\NETWORK SERVICE:(OI)(CI)F"
If your .bak file is on a network share (e.g., \\NAS\Backups\...), Network Service typically accesses it as the computer account (e.g., DOMAIN\SERVERNAME$). For best results, copy the backup file locally to C:\QBMBackups\ before restoring, or grant share permissions to your server's computer account.
If Log On is "Local Service"
Grant permissions to the Local Service account
NT AUTHORITY\LOCAL SERVICE
icacls "C:\QBMBackups" /grant "NT AUTHORITY\LOCAL SERVICE:(OI)(CI)F"
You can also use the GUI method described in Step 2, but enter LOCAL SERVICE instead of SYSTEM when adding the account.
If Log On is "This Account" (Specific User)
Grant permissions to the exact account shown in service properties
This configuration is common in more secure enterprise environments. The SQL Server service runs under a dedicated domain or local user account.
DOMAIN\SqlSvc or .\SqlSvcUser)
- Move your
.bakfile toC:\QBMBackups\ - Right-click on the folder → Properties → Security
- Click Add and enter the exact account name you saw under Log On
- Grant Full Control (or at minimum: Read on
.bakfile + Modify on data folder)
icacls "C:\QBMBackups" /grant "DOMAIN\SqlSvc:(OI)(CI)F"
Replace DOMAIN\SqlSvc in the command with the actual account name you found in the SQL Server service Log On tab.
Important: Do Not Change the Service Account
Avoid modifying SQL Server service configuration
Never change the SQL Server service account to "Local System" just to complete a restore operation. This can cause serious problems including broken service permissions, loss of access to network shares, violations of security policies, and failures in other SQL Server features.
Keep the service account as configured by your IT department. Instead, grant the necessary folder/file permissions to that existing service account.
Verify Target Folder Permissions
Ensure SQL Server can write the restored database files
Even if SQL Server can read your .bak file, it must also be able to write the restored .mdf and .ldf database files to the target location.
If you're restoring to a custom folder (e.g., C:\SQLData\), you must also grant Full Control to the same service account on that folder. The service account needs write permissions wherever the .mdf and .ldf files will be created.
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\
C:\SQLData\
D:\SQLData\