Re: SQLServerAgent Service

From: LvBohemian (LvBohemian_at_discussions.microsoft.com)
Date: 06/13/05

  • Next message: Sue Hoegemeier: "Re: Do Linked Servers REQUIRE SA rights" 
    Date: Mon, 13 Jun 2005 09:14:02 -0700

    1. Act as Part of the Operating System = SeTcbPrivilege
    2. Bypass Traverse Checking = SeChangeNotify
    3. Lock Pages in Memory = SeLockMemory
    4. Log on as a Batch Job = SeBatchLogonRight
    5. Log on as a Service = SeServiceLogonRight
    6. Replace a Process Level Token = SeAssignPrimaryTokenPrivilege

    These are the minimum requirements to run the SQL agent and SQL services
    if said account is not a domain or local administrator...

    This right as been added to support various job requirements:
    7. Increase Scheduling Priority = SeIncreaseBasePriorityPrivilege

    It is my understanding that I need to use the same account to launch
    MSSQLServer &
    SQLServerAgent and that if I want to use xp_sendmail I have to utilize an
    Outlook client
    utilizing the same account...

    MSSQLServer Service runs fine under these rights...
    SQLServerAgent reports the following error when attempting to start...

    Event Type: Error
    Event Source: SQLSERVERAGENT
    Event Category: Service Control
    Event ID: 103
    Date: 6/13/2005
    Time: 8:29:43 AM
    User: N/A
    Computer: ComputerName
    Description:
    SQLServerAgent could not be started
    (reason: SQLServerAgent must be able to connect to SQLServer as SysAdmin,
    but '(Unknown)'
    is not a member of the SysAdmin role).

    When the account is a member of the local administrators group or the
    internal SQL SysAdmin role (DBA full access) it works fine...

    Which coincides with the following:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adminsql/ad_automate_3w8k.asp

    My problem is I do not want to run these services as a SysAdmin, Local Admin
    or Domain Admin accout for obvious reasons...

    And the SQL server 2000 best practices states these accounts should not be a
    member of the administrators groups/roles etc...

    So how the heck do I get by this?

    Thanks in advance.

  • Next message: Sue Hoegemeier: "Re: Do Linked Servers REQUIRE SA rights"

    Relevant Pages

    • SQLAgent mail notifications not working
      ... I'm trying to get the SQL Agent notifications working under SBS2k3 Premium ... Added an operator account with an email address. ... I get "Error 22022: SQLServerAgent Error: The SQLServerAgent mail session is ... check the mail profile and/or the SQLServerAgent service startup ...
      (microsoft.public.windows.server.sbs)
    • Re: scheduling DTS fails with sa rights
      ... you can't have SQL Agent running under local ... would need to use a domain account. ... >when sheduling it on the sql server it fails with error 208. ... >I granted SA Permission to the services MSSQLSERVER and SQLSERVERAGENT ...
      (microsoft.public.sqlserver.dts)
    • Re: SQLServerAgent Service
      ... > member of the sysadmin role... ... > But that kind of contradicts the best practice that the account that sql ... > What is the point of changing the sql service accounts if the account used ... > The MSSQLServer Service does not have to be a member of the Sysadmin role ...
      (microsoft.public.sqlserver.security)
    • Re: SQLServerAgent Service
      ... But that kind of contradicts the best practice that the account that sql ... What is the point of changing the sql service accounts if the account used ... But the SQLServerAgent Service account itself has to be a member of the ... Sysadmin role in the database, and if you are using both services they both ...
      (microsoft.public.sqlserver.security)
    • Re: SQL 2000 Server Agent fails on Windows 2003 Installation
      ... > Windows 2003 server. ... SQLServerAgent cannot start). ... Are you using an account for the SQLServerAgent service? ... that account has SQL Server login access and appropriate database access ...
      (microsoft.public.sqlserver.setup)