Re: Minimum rights for SQL Agent

From: Geoff N. Hiten (SRDBA_at_Careerbuilder.com)
Date: 02/25/04


Date: Wed, 25 Feb 2004 12:01:36 -0500

I disagree.

There are a large number of bad side effects if the SQL service account is
NOT a member of the local administrators group on a server. It needs to be
a domain account so you can access domain resources, but not necessarily a
domain admin. If the box is dedicated to SQL, then there is really no
seciruty risk. If not, then you are in for more problems anyway.

-- 
Geoff N. Hiten
Microsoft SQL Server MVP
Senior Database Administrator
Careerbuilder.com
I support the Professional Association for SQL Server
www.sqlpass.org
"Bruce Rhoades" <bruce.rhoades@gdsinc.com> wrote in message
news:eI8S4C0%23DHA.2484@TK2MSFTNGP12.phx.gbl...
> Hi,
> Here is a problem:
> SQL 2000 servers on Win 2000 servers in NT4 Domain
> Security  restrictions exclude Everyone group from all the shares and
> registries.
> The SQL agent  and SQL Server service accounts should NOT be Local or
Domain
> Administrative privileges.
>
> What are the minimum rights and registry access required for these
accounts
> in order to operate?
>
> Any help is greatly appreciated.
>
> Regards,
> JD
>
>


Relevant Pages

  • Re: Delegation problems
    ... I did a search for the SPN and it came back with two ... When the SQL server was initially setup (by a FORMER ... administrator) he used his account as the service account for SQL ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Site Maintenence tasks
    ... "NT AUTHORITY\SYSTEM" is a local account that belongs to ... for the os Administrators group) which has the sql role of System ... >>> Since I have my SQL server and Site server on separate boxes, ...
    (microsoft.public.sms.tools)
  • Re: Builtin Administrators Group and SQL Agent Jobs
    ... You granted access to SQL Server to a Windows NT domain group called DBA ... login to the System Adminstrator Server role or any other Server role? ... the Local NT administrators group will now have Administrator access to SQL ...
    (microsoft.public.sqlserver.security)
  • Re: Wait on the Database Engine recovery handle failed during setup
    ... service account full control on the protect folder. ... But I were able get hold of the logs from Microsoft's ... The error in the SQL Server errorlog is "An error occurred during ...
    (microsoft.public.sqlserver.setup)
  • Re: SPN creation
    ... will i need to create an spn for the live sql server service account in order ... front end website to get Kerb delegation to the backend if your AD is 2003 ... form port-specific SPNs for HTTP, ...
    (microsoft.public.windows.server.active_directory)