Re: Running SQLServer and SQLServer Agent as Power User

From: Dazza (Post2Group_at_Only.com)
Date: 03/24/05

• Next message: gbledsoe: "Re: Running SQLServer and SQLServer Agent as Power User"
• Previous message: Alek: "Re: encrypt sensitive data"
• In reply to: gbledsoe: "Running SQLServer and SQLServer Agent as Power User"
• Next in thread: gbledsoe: "Re: Running SQLServer and SQLServer Agent as Power User"
• Reply: gbledsoe: "Re: Running SQLServer and SQLServer Agent as Power User"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 24 Mar 2005 19:48:50 -0000

The account that starts the services needs to have the "log on as a service"
right. Without this MSSQLServer and MS SQL Server Agent will not start.

It would also be more secure to use a domain account for this rather than a
local account as SQL then benefits from the integrated security of Windows
2000.

Also why would you want end users to have admin rights on the server at all?
This defeats the object of system security and resource accessibility. It
is best that they are Doman Users only then assign access rights to shares
on the servers.

HTH
Regards
Dazza

"gbledsoe" <gbledsoe@discussions.microsoft.com> wrote in message
news:72CDD311-3C73-480E-9734-3E6F0E76DB09@microsoft.com...
> We're trying to limit the number of user accounts with Admin level
> permission
> on our Win2K servers, especially SQL servers. We have created a domain
> level
> account to run SQLServer and SQLAgent. We'd like to limit it to Power User
> status instead of Admin status on the servers, but we cannot seem to start
> and stop the services from SEM with only Power User status. We've checked
> registry key permissions and everything seems to be configured properly.
> Is
> this configuration even possible? Or does this account NEED to be local
> admin
> on the server? Help would be appreciated. Thanks.

---

• Next message: gbledsoe: "Re: Running SQLServer and SQLServer Agent as Power User"
• Previous message: Alek: "Re: encrypt sensitive data"
• In reply to: gbledsoe: "Running SQLServer and SQLServer Agent as Power User"
• Next in thread: gbledsoe: "Re: Running SQLServer and SQLServer Agent as Power User"
• Reply: gbledsoe: "Re: Running SQLServer and SQLServer Agent as Power User"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Howto refresh IIS 6 Application pool identity credential info ... The Application Servers are load balanced clustered, ... HostHeader names in IIS, it has a CNAME in DNS referencing ... Only account A has access to database DB-A ... (microsoft.public.inetserver.iis.security) Re: Forest to Child -- Permissions ... My account can login to all the DCs and has full administrator priv. ... first DC in the root. ... the member servers only ... never happen unless some admin has been mucking about. ... (microsoft.public.windows.server.dns) Re: Forest to Child -- Permissions ... My account can login to all the DCs and has full administrator priv. ... first DC in the root. ... the member servers only ... never happen unless some admin has been mucking about. ... (microsoft.public.windows.server.dns) Re: Running SQLServer and SQLServer Agent as Power User ... > We're trying to limit the number of user accounts with Admin level permission ... > on our Win2K servers, ... Or does this account NEED to be local admin ... although not all sql feature are available. ... (microsoft.public.sqlserver.security) Re: SMS Heirachy ... I have also tried rebooting both servers after adding the compter accounts ... > try and setup a standard address when i select the drop down box i dont ... > account is a member of the sms_sitetosite group on SiteB? ... >> A. The address will use the sender, but having a sender is not enough. ... (microsoft.public.sms.setup)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2005-03