Re: SQL account rights



Hi there,

You guys advice are great.

I got another challenging question from my DBA: he set up some auditing
procedure to check all the user computers to see the versions of small
applications. This is done through a Storeprocedure under one DB called
auditing. Basically, he said when this storeprocedure runs, the script runs
and get all the version information from user boxes. And, as he said, this
needs domain admin rights to run because this script actaully grabs
information from all user computers.

Please advice what is the best, suitable rights rather than domain admin
rights in order for this undertaking to be carried out.

Thanks.



















"A McGuire" wrote:

I have only done this on SQL Server 2000 instances thus far - about 70
servers or so. Works like a charm, but be prepared for some unexpected
issues, such as a server that might have IIS running on the same machine,
etc. In those cases, you will have to be careful when restricting and/or
altering permissions.

"Lenny" <Lenny@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F50C32C0-C84C-4AD3-9904-7888CFE83194@xxxxxxxxxxxxxxxx
Warren and A,

Many thanks for both of you. Just one little thing: Suppose the advice
is
applicable to SQL 2000 environment, generally speaking. Please let me
know,
thanks.

"Warren Brunk" wrote:

Could not agree more....

--
/*
Warren Brunk - MCITP - SQL 2005, MCDBA
www.techintsolutions.com
*/


"A McGuire" <allen.mcguire@xxxxxxxxxxxxxxxxx> wrote in message
news:%23LzcH9I6GHA.4468@xxxxxxxxxxxxxxxxxxxxxxx
I would take it a step further and not make it a local administrator,
but
rather:

- Domain User account
- Add it as a login to the SQL Server
- Add it to the sysadmin fixed server role (required for the service
account(s))

Then you have to ensure you set the permissions properly on the SQL
Server
files/folders, normally located at C:\Program Files\Microsoft SQL
Server.
If you have any additional drives that you use for transaction logs,
data
files, or backups, make sure that the service account has Full
Permissions
to those as well. Finally there are a few registry and policy settings
that the service account needs access to as well. You can find those
at:

http://support.microsoft.com/kb/283811

AFTER you have this all set up, THEN change the service accounts. Do
not
remove the BUILTIN\Administrators account until you have verified that
this in fact works for you.

Making the service account a Local Administrator is just too much for
me,
but some do in fact do that as a short cut.

"Warren Brunk" <wbrunk@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:uavJ$5$5GHA.4536@xxxxxxxxxxxxxxxxxxxxxxx
the short answer to your question is NO WAY. The SQL Server account
does
not need to be a member of the Domain Admins. Is it not a good
practice
for a SQL Server account to be a domain admin. It increases surface
area
significantly.

Here is a list of account that can run your services...
http://support.microsoft.com/kb/907557

Perhaps you should make it a regular user on the domain but a local
administrator on the SQL Server boxes.
There are a million ways to set up security for your SQL Server box
and
using a domain administrator isnt a good pratice.

You can even use a new feature called User Instances
http://msdn2.microsoft.com/en-us/library/ms143684.aspx


--
/*
Warren Brunk - MCITP - SQL 2005, MCDBA
www.techintsolutions.com
*/


"Lenny" <Lenny@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BEAA37AD-C376-41F7-B4D3-843F7F2C8D51@xxxxxxxxxxxxxxxx
Hi,
In our SQL 2000 environment, we have an account called SQLEXEC, which
is
a
domain account (Windows account, therefore). We use it to install,
set
up,
configure all SQL server functions. My question:
Are there any SQL related functions that really require us to assign
this
account to Domain Admin group in our Windows 2003 domain environment.

We prefer not to since domain admin has a lot of power.

Please advise.

Thanks.


Lenny










.



Relevant Pages

  • Re: SQL account rights
    ... Please advice what is the best, suitable rights rather than domain admin ... issues, such as a server that might have IIS running on the same machine, ... applicable to SQL 2000 environment, ... files, or backups, make sure that the service account has Full ...
    (microsoft.public.sqlserver.security)
  • Re: User authentication
    ... There are 2 SQL Server 2005 ... 1 SQL Server 2000 installed on another server ... Windows account instead to run backup jobs. ...
    (microsoft.public.sqlserver.clients)
  • Re: SQL 2000 Server gets hacked
    ... Thank you Beth. ... > placed a strong password on the 'sa' account?) ... Your SQl Service itself shouldn't be running as a ... (SQL Agent requires more, but not SQL Server). ...
    (microsoft.public.sqlserver.security)
  • Re: SQL 2000 Server gets hacked
    ... Thank you Beth. ... > placed a strong password on the 'sa' account?) ... Your SQl Service itself shouldn't be running as a ... (SQL Agent requires more, but not SQL Server). ...
    (microsoft.public.sqlserver.security)
  • Re: Microsoft Search service cannot be administered under the present user error SP3
    ... - Have not modified Administrator account, but i ran the SQL script anyway. ... SQL account is not a local administrator. ... > has this server ever been upgrade from SQL Server 7.0 or is this SQL ...
    (microsoft.public.sqlserver.fulltext)