Re: Running SQLServer and SQLServer Agent as Power User

From: gbledsoe (gbledsoe_at_discussions.microsoft.com)
Date: 03/24/05 

Date: Thu, 24 Mar 2005 13:33:06 -0800

We've following the instructions in MS article 283811 and ensured that the
account has all necessary extended user rights, such as act as part of
operating system, logon as batch job, logon as service. The fundamental
question is whether the account can run as Power User or does it need to be
Administrator? If it does not NEED to be Administrator, what other
configuration is necessary to let us use that account to stop and start the
SQLServer service, since Power User does not seem to have the rights. Thanks.

"Dazza" wrote:

> The account that starts the services needs to have the "log on as a service"
> right. Without this MSSQLServer and MS SQL Server Agent will not start.
>
> It would also be more secure to use a domain account for this rather than a
> local account as SQL then benefits from the integrated security of Windows
> 2000.
>
> Also why would you want end users to have admin rights on the server at all?
> This defeats the object of system security and resource accessibility. It
> is best that they are Doman Users only then assign access rights to shares
> on the servers.
>
> HTH
> Regards
> Dazza
>
>
>
> "gbledsoe" <gbledsoe@discussions.microsoft.com> wrote in message
> news:72CDD311-3C73-480E-9734-3E6F0E76DB09@microsoft.com...
> > We're trying to limit the number of user accounts with Admin level
> > permission
> > on our Win2K servers, especially SQL servers. We have created a domain
> > level
> > account to run SQLServer and SQLAgent. We'd like to limit it to Power User
> > status instead of Admin status on the servers, but we cannot seem to start
> > and stop the services from SEM with only Power User status. We've checked
> > registry key permissions and everything seems to be configured properly.
> > Is
> > this configuration even possible? Or does this account NEED to be local
> > admin
> > on the server? Help would be appreciated. Thanks.
>
>
>

Relevant Pages

  • Re: sbs2003 to (new)server2003 user issue
    ... You have not just add the "name" to ADUC, rightclick My Computer icon on the desktop, choose properties, go to network identification tab, here click properties and choose under Member of "Domain", fill in the domain name and a window will open asking you for an account from the domain with the password. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... Laptop not/never part of the domain. ... sbs server dead sunday night. ...
    (microsoft.public.windows.server.active_directory)
  • Re: sbs2003 to (new)server2003 user issue
    ... Meinolf Weber ... This posting is provided "AS IS" with no warranties, and confers no rights. ... sbs server dead sunday night. ... Even if the account in the domain and the local account on the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problems with WSS 2.0 and Remote SQL
    ... I did use the domain name when specifing the admin account, ... creator rights on the SQL Server, it appears that the databases are being ... >> my AD account which has Enterprise Admin and Domain admin rights. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Restored Server but SharePoint refusing admin access
    ... > SID/BID or remove the user from the database and add it again. ... >, In SQL Configuration Manager go to SQL> Server ... > you had) you cannot access the database from that account. ... > newly added administrator account (for me, since I added a new admin ...
    (microsoft.public.windows.server.sbs)
  • Web Server - User Access and Priviledges.
    ... restriction policy that came out with the server 2003 ... Have a logon for your everyday use and one admin ... account that your or only a few people have access to. ... >Create a second Administrator account on each Web Server. ...
    (microsoft.public.win2000.security)