Hi,
Here is a problem:
SQL 2000 servers on Win 2000 servers in NT4 Domain
Security restrictions exclude Everyone group from all the shares and
registries.
The SQL agent and SQL Server service accounts should NOT be Local or Domain
Administrative privileges.
What are the minimum rights and registry access required for these accounts
in order to operate?
Any help is greatly appreciated.
Regards,
JDHi,
Do not run SQL Server and SQL Agent services as local system, local
administrator, or domain administrator accounts.
If your services starts based on above, most of the jobs which require an OS
level admin previlages will fail.
Eg:
1. Using XP_CMDSHELL wrting into hard drives, Registry read/write/delete...
2. SQL Agent connection to SQL Server with Admini prev.
Go thru the below link for more information on setting up security,
http://www.microsoft.com/technet/tr...chnet/prodtechn
ol/sql/maintain/security/sp3sec/SP3SEC02.ASP
Thanks
Hari
MCDBA
"Bruce Rhoades" <bruce.rhoades@.gdsinc.com> wrote in message
news:eI8S4C0#DHA.2484@.TK2MSFTNGP12.phx.gbl...
> Hi,
> Here is a problem:
> SQL 2000 servers on Win 2000 servers in NT4 Domain
> Security restrictions exclude Everyone group from all the shares and
> registries.
> The SQL agent and SQL Server service accounts should NOT be Local or
Domain
> Administrative privileges.
> What are the minimum rights and registry access required for these
accounts
> in order to operate?
> Any help is greatly appreciated.
> Regards,
> JD
>|||I disagree.
There are a large number of bad side effects if the SQL service account is
NOT a member of the local administrators group on a server. It needs to be
a domain account so you can access domain resources, but not necessarily a
domain admin. If the box is dedicated to SQL, then there is really no
seciruty risk. If not, then you are in for more problems anyway.
Geoff N. Hiten
Microsoft SQL Server MVP
Senior Database Administrator
Careerbuilder.com
I support the Professional Association for SQL Server
www.sqlpass.org
"Bruce Rhoades" <bruce.rhoades@.gdsinc.com> wrote in message
news:eI8S4C0%23DHA.2484@.TK2MSFTNGP12.phx.gbl...
> Hi,
> Here is a problem:
> SQL 2000 servers on Win 2000 servers in NT4 Domain
> Security restrictions exclude Everyone group from all the shares and
> registries.
> The SQL agent and SQL Server service accounts should NOT be Local or
Domain
> Administrative privileges.
> What are the minimum rights and registry access required for these
accounts
> in order to operate?
> Any help is greatly appreciated.
> Regards,
> JD
>|||See the BOL topic "Setting up Windows Services Accounts" for more details
on the permissions needed. If you're on a cluster then the startup
accounts need to be local admins. There are a subset of activities outlined
in the above topic that also require a local admin. Otherwise, the
account(s) just needs to be added to SQL Server as sysadmins and have the
permissions outlined in the referenced topic. If you set the account
through Enterprise Manager then all the permissions are automatically set
for you.
Cindy Gross, MCDBA, MCSE
http://cindygross.tripod.com
This posting is provided "AS IS" with no warranties, and confers no rights.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment