Agent Account = domain\useraccount != local or domain admin. Scheduled DTS packages don't run

From: Terje Viken (terje.viken_at_smurfs.org)
Date: 11/12/03

• Next message: barmanvarn: "Newbie to security"
• Previous message: Samuel Berry: "Re: Changing the SQL Server service account, problems"
• Next in thread: Gary Whitley [MSFT]: "RE: Agent Account = domain\useraccount != local or domain admin. Scheduled DTS packages don't run"
• Reply: Gary Whitley [MSFT]: "RE: Agent Account = domain\useraccount != local or domain admin. Scheduled DTS packages don't run"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 12 Nov 2003 18:59:58 +0100

Hi

We have been running MBSA ( Microsoft Baseline Security analyzer ) on our
SQL-servers.
It advices us to run the MSSQLSERVER and SQLSERVERAGENT under domain user
accounts that are not members of the domain admin group ( of course ) - but
not even under the local administrator group of the computer. OK: I would
very much like the service to run on a low-privileged domain-account.

I have followed sevaral MS KB-articles on how to setup security on registry
keys, folders etc. But on both SQL7 and SQL2000.

The SQL-server seem to work perfectly - except for one thing - Scheduled DTS
Packages fail. They have been setup to use System ODBC DSN's on the
SQL-server host. This will also be the result if the domain\serviceaccount
is added to the local power users group.

I have tried to look for access denied messages using sysinternals: FileMon
and Regmon - but no luck. The problem goes away if I add the
<domain>\<serviceaccount> to the local administrators group.

I see this question has been asked before -but I have not found an answer
that works !

Terje

---

• Next message: barmanvarn: "Newbie to security"
• Previous message: Samuel Berry: "Re: Changing the SQL Server service account, problems"
• Next in thread: Gary Whitley [MSFT]: "RE: Agent Account = domain\useraccount != local or domain admin. Scheduled DTS packages don't run"
• Reply: Gary Whitley [MSFT]: "RE: Agent Account = domain\useraccount != local or domain admin. Scheduled DTS packages don't run"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages how to add a domain user to all computer local groups? ... is there a way via group policy that i could add a domain user ... account to the local administrator group of all domain computers by group ... I don't want to go to each machine to add the account to the local ... (microsoft.public.windows.server.active_directory) Re: sync options unchecked ... definitely sgned in as Admin on my computer. ... the user is a domain user but all domain users are member of the ... > local adminstrator group. ... >> Are you logged in as an administrator or in the local administrator group ... (microsoft.public.pocketpc.activesync) Domain Login - One User Can/Another User Cannot from same Win XP computer ... Administrators group for the system adding both a local account and her ... domain account into the local Administrator group. ... This user can log into as many Win 98 machines as a domain user as she ... (microsoft.public.windowsxp.security_admin) Re: sync options unchecked ... the user is a domain user but all domain users are member of the local ... adminstrator group. ... > Are you logged in as an administrator or in the local administrator group ... (microsoft.public.pocketpc.activesync)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2003-11