Re: SQL account rights

From: "Warren Brunk" <wbrunk@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 4 Oct 2006 14:46:00 -0700

the short answer to your question is NO WAY. The SQL Server account does not
need to be a member of the Domain Admins. Is it not a good practice for a
SQL Server account to be a domain admin. It increases surface area
significantly.

Here is a list of account that can run your services...
http://support.microsoft.com/kb/907557

Perhaps you should make it a regular user on the domain but a local
administrator on the SQL Server boxes.
There are a million ways to set up security for your SQL Server box and
using a domain administrator isnt a good pratice.

You can even use a new feature called User Instances
http://msdn2.microsoft.com/en-us/library/ms143684.aspx

--
/*
Warren Brunk - MCITP - SQL 2005, MCDBA
www.techintsolutions.com
*/

"Lenny" <Lenny@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BEAA37AD-C376-41F7-B4D3-843F7F2C8D51@xxxxxxxxxxxxxxxx

Hi,
In our SQL 2000 environment, we have an account called SQLEXEC, which is a
domain account (Windows account, therefore). We use it to install, set
up,
configure all SQL server functions. My question:
Are there any SQL related functions that really require us to assign this
account to Domain Admin group in our Windows 2003 domain environment.

We prefer not to since domain admin has a lot of power.

Please advise.

Thanks.

Lenny

Follow-Ups:
- Re: SQL account rights
  - From: A McGuire

Prev by Date: Re: remote Local user account permissions to SQL 2000 SP4 server
Next by Date: Re: SQL account right issues
Previous by thread: Re: Linked Server Confusion - I don't know where to start...
Next by thread: Re: SQL account rights
Index(es):
- Date
- Thread

Relevant Pages

Re: SQL account rights
... Please advice what is the best, suitable rights rather than domain admin ... Warren Brunk - MCITP - SQL 2005, ... Add it as a login to the SQL Server ... files, or backups, make sure that the service account has Full ...
(microsoft.public.sqlserver.security)
Re: SetSPN problem
... I tried using a domain admin account (it worked and ... I tried on another server. ... promote the account to domain admin and let it register itself and then ... > Jasper Smith (SQL Server MVP) ...
(microsoft.public.sqlserver.security)
Re: SQL service logon account change problem.
... > We have an SQL server that has been runing with the Domain Admin as logon ... > account for the service and everything was running fine. ... > Then we have changed the logon user name to another user that is Local ... > Admin on the SQL server and then the problem started. ...
(microsoft.public.sqlserver.setup)
Re: newbie question
... domain admin will be a member of local Administrators group ... which essentially maps to BUILTIN\ADMIN account on SQL Server. ... if that other group is a registered user within SQL Server, ... Thank you for using Microsoft newsgroups. ...
(microsoft.public.sqlserver.server)
Re: Error 15401 using sp_grantlogin (not addressed by current KB articles)
... Restarting Windows 2000 resolved the problem for this particular account, ... confused when it sees a duplicate SID. ... > One way to get SQL Server to agree with the renamed NT ... > Preview (to ensure the script was created), ...
(microsoft.public.sqlserver.security)