Occasionally I’ll get a query from a security-conscious client who says that they have found a user account that mysteriously appears, called QBDataServiceUser (often with a number appended to the name). They want to know why it shows up and what they should do about it.
Starting with the 2006 release of QuickBooks (in the US edition, later in non US editions), Intuit changed the database system to use a SQL based system called SQL Anywhere, from Sybase. This is an embedded database system that developers can use to manage their database, limiting direct access (for security reasons) to the program that uses it. The QBDataServiceUser is related to the management of the database.
Why Does This Account Exist?
With QuickBooks you can run the software in two “modes” – single user or multiple user. If you select multiple user then QuickBooks will create a new Windows user account and start a separate copy of the database manager as a Windows service.
Essentially, the QBDataServiceUser account is created to manage the separate database manager service and allow it to provide services to any user that logs in to this Windows system. You should only find it on a workstation or server that is hosting the database – and it is important that only one computer is acting as the host.
It is not unusual to have a user account set up in Windows by a software system, to be used to manage a database product or a service of some sort. Microsoft will do this, setting up an ASP.NET user account in certain situations. By creating this limited user account (more on that later) the service can be available to all Windows users without providing administrative access to your computer.
Looking at my system configuration, on a system that has just QuickBooks 2010 installed, you can see that there is a QuickBooks database “service” running. This is the multiuser database manager.
You may see multiple user accounts if you have been upgrading your copy of QuickBooks periodically. For example, the following is a screen shot from one of my test systems that has QuickBooks 2006, 2007 and 2008 installed:
The user with no number at the end is for QuickBooks 2006, the 17 is for 2007, and so forth. QuickBooks 2010 and Enterprise 10 use QBDataServiceUser20.
Can I Get Rid Of This Account?
Well, yes, you can, but normally you shouldn’t. If this computer is the “host” for your QuickBooks database you must have this user account and service running to provide multi user access to the QuickBooks company file. You can delete the account, but the next time you start multi user access on this computer QuickBooks will set the account up again.
You may also notice, as I’ve shown above, that you have multiple user accounts set up. Also, since this user account must have a folder in your Documents and Settings folder, you may see multiple QBDataServiceUser folders. Why?
If you have installed upgrades to QuickBooks over the years there could be a user account and folder for each upgrade you installed. If you uninstall an older copy of QuickBooks that you no longer need, QuickBooks should remove the unneeded user accounts. However, it most likely won’t delete the folder for the account in your Documents and Settings folder. Microsoft Windows does not provide a simple way for the program to clean up these user folders.
You can safely delete these left over folders after you have uninstalled. Don’t uninstall the folders that are currently being used.
In some cases you may find additional folders, if you install, uninstall and reinstall the same edition multiple times. You may see folders like QBDataServiceUser.001 and QBDataServiceUser.002, for example. In this case you can delete the lowest numbered folders, leaving the highest numbered one in place.
Is This Account A Security Risk?
This is the usual question that people have when they notice these user accounts. The simplest answer is that this is a normal practice for services like this in Microsoft Windows, and there is no security risk having them there. They are set up as “limited user” accounts that generally have very limited permissions. They can’t be used by another individual or program to log in to your machine.
When rebooting Windows and logging in you won’t see this user account listed in the login screen normally. These are “hidden” accounts that you normally see. This is helpful. Also, it is important to note that this account does not have administrative privileges.
You can see them in your Windows Control panel. The accounts are set up with a password, and we aren’t provided with that password.
If for some reason you have a computer system administrator that doesn’t want this kind of user account set up on a company file server, the only real solution you have is to set up a separate file server just to manage QuickBooks data. That would keep it separate from your main company server – which often is a good idea in any case.
At the very end, you make the following passing remark: “..set up a separate file server just to manage QuickBooks data. That would keep it separate from your main company server – which often is a good idea in any case.”
Can you expand upon this? Why do you feel this is a good idea?
Can you provide a link to discussion elsewhere on your site that presents your view of the best way to set up a multi-user installation of QB in a networked environment?
Would there be any difference in this setup for Premier and for Enterprise?
Thanks,
— Ron
Ron, I haven’t written an article on multi-user installation. Intuit has very good source documents in their help site that should cover this. See the “Networking” tab at http://support.quickbooks.intuit.com/Support/InstallCenter/default.aspx
Premier and Enterprise have differences, in that many feel that Terminal Services is the best way to run Enterprise in multi user environments (I can’t say, I don’t work with Terminal Services myself). Premier isn’t supported there.
In general, I prefer having the database server separate from the “main” company server, if that is possible, because of performance. If you have a lot of other things running on the Server, like Microsoft Exchange, it really has an impact on QB performance. That is the primary basis for my assertion.
I read above that there is no security risk, but on one of my computers I have found evidence that someone has hacked into it through the QBDataServiceUser20 account and has bee running things. During the time that someone has been using it, Several viruses have found their way into my system. I have deleted the account, but have saved all the temp files that have been created during the month+ that it was being used.
John, I would be surprised at that. First, the user account is a limited user and shouldn’t have the permissins that would let someone do much. Second, how did someone access your computer in the first place? Sounds like you have a security issue outside of this user account…