Hi,
Here is a problem:
SQL 2000 servers on Win 2000 servers in NT4 Domain
Security restrictions exclude Everyone group from all the shares and
registries.
The SQL agent and SQL Server service accounts should NOT be Local or Domain
Administrative privileges.
What are the minimum rights and registry access required for these accounts
in order to operate?
Any help is greatly appreciated.
Regards,
JDHi,
Do not run SQL Server and SQL Agent services as local system, local
administrator, or domain administrator accounts.
If your services starts based on above, most of the jobs which require an OS
level admin previlages will fail.
Eg:
1. Using XP_CMDSHELL wrting into hard drives, Registry read/write/delete...
2. SQL Agent connection to SQL Server with Admini prev.
Go thru the below link for more information on setting up security,
http://www.microsoft.com/technet/tr...chnet/prodtechn
ol/sql/maintain/security/sp3sec/SP3SEC02.ASP
Thanks
Hari
MCDBA
"Bruce Rhoades" <bruce.rhoades@.gdsinc.com> wrote in message
news:eI8S4C0#DHA.2484@.TK2MSFTNGP12.phx.gbl...
> Hi,
> Here is a problem:
> SQL 2000 servers on Win 2000 servers in NT4 Domain
> Security restrictions exclude Everyone group from all the shares and
> registries.
> The SQL agent and SQL Server service accounts should NOT be Local or
Domain
> Administrative privileges.
> What are the minimum rights and registry access required for these
accounts
> in order to operate?
> Any help is greatly appreciated.
> Regards,
> JD
>|||I disagree.
There are a large number of bad side effects if the SQL service account is
NOT a member of the local administrators group on a server. It needs to be
a domain account so you can access domain resources, but not necessarily a
domain admin. If the box is dedicated to SQL, then there is really no
seciruty risk. If not, then you are in for more problems anyway.
Geoff N. Hiten
Microsoft SQL Server MVP
Senior Database Administrator
Careerbuilder.com
I support the Professional Association for SQL Server
www.sqlpass.org
"Bruce Rhoades" <bruce.rhoades@.gdsinc.com> wrote in message
news:eI8S4C0%23DHA.2484@.TK2MSFTNGP12.phx.gbl...
> Hi,
> Here is a problem:
> SQL 2000 servers on Win 2000 servers in NT4 Domain
> Security restrictions exclude Everyone group from all the shares and
> registries.
> The SQL agent and SQL Server service accounts should NOT be Local or
Domain
> Administrative privileges.
> What are the minimum rights and registry access required for these
accounts
> in order to operate?
> Any help is greatly appreciated.
> Regards,
> JD
>|||See the BOL topic "Setting up Windows Services Accounts" for more details
on the permissions needed. If you're on a cluster then the startup
accounts need to be local admins. There are a subset of activities outlined
in the above topic that also require a local admin. Otherwise, the
account(s) just needs to be added to SQL Server as sysadmins and have the
permissions outlined in the referenced topic. If you set the account
through Enterprise Manager then all the permissions are automatically set
for you.
Cindy Gross, MCDBA, MCSE
http://cindygross.tripod.com
This posting is provided "AS IS" with no warranties, and confers no rights.
Showing posts with label rights. Show all posts
Showing posts with label rights. Show all posts
Friday, March 23, 2012
Minimum rights for a user to run SQL Server service?
Hi fellows
I was just wondering what the minimum rights a local user
must have to be able to run the MSSQLserver service.
Have been using a user that is administrator on the server
but now i would like to know what the minimum requirments
are for running MSSQLServer service are?
Absolut minimum :-)
Thanks in advance
Risun"Risun" <risun@.wmdata.com> wrote in message
news:0c0d01c39196$5ec6e1c0$a001280a@.phx.gbl...
> I was just wondering what the minimum rights a local user
> must have to be able to run the MSSQLserver service.
> Have been using a user that is administrator on the server
> but now i would like to know what the minimum requirments
> are for running MSSQLServer service are?
> Absolut minimum :-)
You could run the MSSQLServer service account as LocalSystem, no user
account required...
This article does a good job of outlining the account requirements to
properly lock down SQL Server server.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/sql/maintain/security/sp3sec/SP3SEC01.ASP
Steve|||If you go to SQL Server download and download Books On Line SP3. This will
tell you what rights the account needs. Search for "Setting up Windows
Services Accounts" and you will fin all the info you need.
--
Barry McAuslin
Look inside your SQL Server files with SQL File Explorer.
Go to http://www.sqlfe.com for more information.
"Risun" <risun@.wmdata.com> wrote in message
news:0c0d01c39196$5ec6e1c0$a001280a@.phx.gbl...
> Hi fellows
> I was just wondering what the minimum rights a local user
> must have to be able to run the MSSQLserver service.
> Have been using a user that is administrator on the server
> but now i would like to know what the minimum requirments
> are for running MSSQLServer service are?
> Absolut minimum :-)
> Thanks in advance
> Risunsql
I was just wondering what the minimum rights a local user
must have to be able to run the MSSQLserver service.
Have been using a user that is administrator on the server
but now i would like to know what the minimum requirments
are for running MSSQLServer service are?
Absolut minimum :-)
Thanks in advance
Risun"Risun" <risun@.wmdata.com> wrote in message
news:0c0d01c39196$5ec6e1c0$a001280a@.phx.gbl...
> I was just wondering what the minimum rights a local user
> must have to be able to run the MSSQLserver service.
> Have been using a user that is administrator on the server
> but now i would like to know what the minimum requirments
> are for running MSSQLServer service are?
> Absolut minimum :-)
You could run the MSSQLServer service account as LocalSystem, no user
account required...
This article does a good job of outlining the account requirements to
properly lock down SQL Server server.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/sql/maintain/security/sp3sec/SP3SEC01.ASP
Steve|||If you go to SQL Server download and download Books On Line SP3. This will
tell you what rights the account needs. Search for "Setting up Windows
Services Accounts" and you will fin all the info you need.
--
Barry McAuslin
Look inside your SQL Server files with SQL File Explorer.
Go to http://www.sqlfe.com for more information.
"Risun" <risun@.wmdata.com> wrote in message
news:0c0d01c39196$5ec6e1c0$a001280a@.phx.gbl...
> Hi fellows
> I was just wondering what the minimum rights a local user
> must have to be able to run the MSSQLserver service.
> Have been using a user that is administrator on the server
> but now i would like to know what the minimum requirments
> are for running MSSQLServer service are?
> Absolut minimum :-)
> Thanks in advance
> Risunsql
Wednesday, March 21, 2012
Minimum level of rights for a SQL Server DBA.
Previously, DBAs in our company used to have local machine administrator
access on the SQL Server boxes. As part of tightening server security, those
rights have been taken away from DBAs (in some cases they have been added to
'Power Users' group).
In order to install SQL Server, the account need to be a local machine
administrator (that's given otherwise installation gives error).
But, what type of minimal rights should be given to DBAs on the server
resources to let that person function properly?
When I am talking about resources, I mean rights to write to specific
directories like
* SQL Server programs/tools
* Common DLLs (in C:\Program files\common files...)
* Local backup directories
* Directory for snapshot/transactional replication transfer data.
And right to execute programs/utilities on the server like
* Perfmon (for system tuning/performance monitoring)
* Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
dependencies).
Is there anything that is not needed here or, alternatively, is there
anything that I missed?
Another dimension of this issue is the OS login access that is needed to run
the SQL Server services (needed for remote backups and replication).
Any help will be greatly appreciated!
Regards,
MZeeshan
At my last company, I didnt have admin rights... just SA. 90% of the time
it was fine. The other 10% it sucked. Common things I needed someone to hold
my hand on were:
1. Service restarts.
2. Hotfix/ service packs.
3. Set up stuff like Log Shipping where directory access is needed.
4. Wanting to just see how much disk space I had left on my backup drive.
5. Replication Snapshot.
I know you already mentioned alot of these. The problem is that when the DBA
needs these things, alot of time he needs them NOW. Not once he can have
someone come to his desk and log in as Admin. But like I said, 90% of the
time it was fine and I actually would prefer it. SA is usually good enough.
Any less than SA and a DBA cant get his work done.
"MZeeshan" <mzeeshan@.community.nospam> wrote in message
news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
> Previously, DBAs in our company used to have local machine administrator
> access on the SQL Server boxes. As part of tightening server security,
> those
> rights have been taken away from DBAs (in some cases they have been added
> to
> 'Power Users' group).
> In order to install SQL Server, the account need to be a local machine
> administrator (that's given otherwise installation gives error).
> But, what type of minimal rights should be given to DBAs on the server
> resources to let that person function properly?
> When I am talking about resources, I mean rights to write to specific
> directories like
> * SQL Server programs/tools
> * Common DLLs (in C:\Program files\common files...)
> * Local backup directories
> * Directory for snapshot/transactional replication transfer data.
> And right to execute programs/utilities on the server like
> * Perfmon (for system tuning/performance monitoring)
> * Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
> dependencies).
> Is there anything that is not needed here or, alternatively, is there
> anything that I missed?
> Another dimension of this issue is the OS login access that is needed to
> run
> the SQL Server services (needed for remote backups and replication).
> Any help will be greatly appreciated!
> --
> Regards,
> MZeeshan
>
|||Thanks!
Anyone? any other ideas?
Regards,
MZeeshan
"ChrisR" wrote:
> At my last company, I didnt have admin rights... just SA. 90% of the time
> it was fine. The other 10% it sucked. Common things I needed someone to hold
> my hand on were:
> 1. Service restarts.
> 2. Hotfix/ service packs.
> 3. Set up stuff like Log Shipping where directory access is needed.
> 4. Wanting to just see how much disk space I had left on my backup drive.
> 5. Replication Snapshot.
> I know you already mentioned alot of these. The problem is that when the DBA
> needs these things, alot of time he needs them NOW. Not once he can have
> someone come to his desk and log in as Admin. But like I said, 90% of the
> time it was fine and I actually would prefer it. SA is usually good enough.
> Any less than SA and a DBA cant get his work done.
>
> "MZeeshan" <mzeeshan@.community.nospam> wrote in message
> news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
>
>
|||Hi MZeeshan,
If you need OS login access that is needed to run the SQL Server services
(needed for remote backups and replication). I think give DBA local
administrator privilege is necessary.
BTW, you are recommanded using the tools below to ensure the security of
your product server.
Best Practices Analyzer Tool for Microsoft SQL Server 2000 1.0
http://www.microsoft.com/downloads/d...=en&familyid=B
352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
Since this is a consultation type issue, you can contact Advisory Services
(AS) . Microsoft Advisory Services provides short-term advice and guidance
for problems not covered by Problem Resolution Service as well as requests
for consultative assistance for design, development and deployment issues.
You may call this number to get Advisory Services: (800) 936-5200.
Sincerely yours,
Michael Cheng
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.
access on the SQL Server boxes. As part of tightening server security, those
rights have been taken away from DBAs (in some cases they have been added to
'Power Users' group).
In order to install SQL Server, the account need to be a local machine
administrator (that's given otherwise installation gives error).
But, what type of minimal rights should be given to DBAs on the server
resources to let that person function properly?
When I am talking about resources, I mean rights to write to specific
directories like
* SQL Server programs/tools
* Common DLLs (in C:\Program files\common files...)
* Local backup directories
* Directory for snapshot/transactional replication transfer data.
And right to execute programs/utilities on the server like
* Perfmon (for system tuning/performance monitoring)
* Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
dependencies).
Is there anything that is not needed here or, alternatively, is there
anything that I missed?
Another dimension of this issue is the OS login access that is needed to run
the SQL Server services (needed for remote backups and replication).
Any help will be greatly appreciated!
Regards,
MZeeshan
At my last company, I didnt have admin rights... just SA. 90% of the time
it was fine. The other 10% it sucked. Common things I needed someone to hold
my hand on were:
1. Service restarts.
2. Hotfix/ service packs.
3. Set up stuff like Log Shipping where directory access is needed.
4. Wanting to just see how much disk space I had left on my backup drive.
5. Replication Snapshot.
I know you already mentioned alot of these. The problem is that when the DBA
needs these things, alot of time he needs them NOW. Not once he can have
someone come to his desk and log in as Admin. But like I said, 90% of the
time it was fine and I actually would prefer it. SA is usually good enough.
Any less than SA and a DBA cant get his work done.
"MZeeshan" <mzeeshan@.community.nospam> wrote in message
news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
> Previously, DBAs in our company used to have local machine administrator
> access on the SQL Server boxes. As part of tightening server security,
> those
> rights have been taken away from DBAs (in some cases they have been added
> to
> 'Power Users' group).
> In order to install SQL Server, the account need to be a local machine
> administrator (that's given otherwise installation gives error).
> But, what type of minimal rights should be given to DBAs on the server
> resources to let that person function properly?
> When I am talking about resources, I mean rights to write to specific
> directories like
> * SQL Server programs/tools
> * Common DLLs (in C:\Program files\common files...)
> * Local backup directories
> * Directory for snapshot/transactional replication transfer data.
> And right to execute programs/utilities on the server like
> * Perfmon (for system tuning/performance monitoring)
> * Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
> dependencies).
> Is there anything that is not needed here or, alternatively, is there
> anything that I missed?
> Another dimension of this issue is the OS login access that is needed to
> run
> the SQL Server services (needed for remote backups and replication).
> Any help will be greatly appreciated!
> --
> Regards,
> MZeeshan
>
|||Thanks!
Anyone? any other ideas?
Regards,
MZeeshan
"ChrisR" wrote:
> At my last company, I didnt have admin rights... just SA. 90% of the time
> it was fine. The other 10% it sucked. Common things I needed someone to hold
> my hand on were:
> 1. Service restarts.
> 2. Hotfix/ service packs.
> 3. Set up stuff like Log Shipping where directory access is needed.
> 4. Wanting to just see how much disk space I had left on my backup drive.
> 5. Replication Snapshot.
> I know you already mentioned alot of these. The problem is that when the DBA
> needs these things, alot of time he needs them NOW. Not once he can have
> someone come to his desk and log in as Admin. But like I said, 90% of the
> time it was fine and I actually would prefer it. SA is usually good enough.
> Any less than SA and a DBA cant get his work done.
>
> "MZeeshan" <mzeeshan@.community.nospam> wrote in message
> news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
>
>
|||Hi MZeeshan,
If you need OS login access that is needed to run the SQL Server services
(needed for remote backups and replication). I think give DBA local
administrator privilege is necessary.
BTW, you are recommanded using the tools below to ensure the security of
your product server.
Best Practices Analyzer Tool for Microsoft SQL Server 2000 1.0
http://www.microsoft.com/downloads/d...=en&familyid=B
352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
Since this is a consultation type issue, you can contact Advisory Services
(AS) . Microsoft Advisory Services provides short-term advice and guidance
for problems not covered by Problem Resolution Service as well as requests
for consultative assistance for design, development and deployment issues.
You may call this number to get Advisory Services: (800) 936-5200.
Sincerely yours,
Michael Cheng
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.
Minimum level of rights for a SQL Server DBA.
Previously, DBAs in our company used to have local machine administrator
access on the SQL Server boxes. As part of tightening server security, those
rights have been taken away from DBAs (in some cases they have been added to
'Power Users' group).
In order to install SQL Server, the account need to be a local machine
administrator (that's given otherwise installation gives error).
But, what type of minimal rights should be given to DBAs on the server
resources to let that person function properly?
When I am talking about resources, I mean rights to write to specific
directories like
* SQL Server programs/tools
* Common DLLs (in C:\Program files\common files...)
* Local backup directories
* Directory for snapshot/transactional replication transfer data.
And right to execute programs/utilities on the server like
* Perfmon (for system tuning/performance monitoring)
* Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
dependencies).
Is there anything that is not needed here or, alternatively, is there
anything that I missed?
Another dimension of this issue is the OS login access that is needed to run
the SQL Server services (needed for remote backups and replication).
Any help will be greatly appreciated!
--
Regards,
MZeeshanAt my last company, I didnt have admin rights... just SA. 90% of the time
it was fine. The other 10% it sucked. Common things I needed someone to hold
my hand on were:
1. Service restarts.
2. Hotfix/ service packs.
3. Set up stuff like Log Shipping where directory access is needed.
4. Wanting to just see how much disk space I had left on my backup drive.
5. Replication Snapshot.
I know you already mentioned alot of these. The problem is that when the DBA
needs these things, alot of time he needs them NOW. Not once he can have
someone come to his desk and log in as Admin. But like I said, 90% of the
time it was fine and I actually would prefer it. SA is usually good enough.
Any less than SA and a DBA cant get his work done.
"MZeeshan" <mzeeshan@.community.nospam> wrote in message
news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
> Previously, DBAs in our company used to have local machine administrator
> access on the SQL Server boxes. As part of tightening server security,
> those
> rights have been taken away from DBAs (in some cases they have been added
> to
> 'Power Users' group).
> In order to install SQL Server, the account need to be a local machine
> administrator (that's given otherwise installation gives error).
> But, what type of minimal rights should be given to DBAs on the server
> resources to let that person function properly?
> When I am talking about resources, I mean rights to write to specific
> directories like
> * SQL Server programs/tools
> * Common DLLs (in C:\Program files\common files...)
> * Local backup directories
> * Directory for snapshot/transactional replication transfer data.
> And right to execute programs/utilities on the server like
> * Perfmon (for system tuning/performance monitoring)
> * Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
> dependencies).
> Is there anything that is not needed here or, alternatively, is there
> anything that I missed?
> Another dimension of this issue is the OS login access that is needed to
> run
> the SQL Server services (needed for remote backups and replication).
> Any help will be greatly appreciated!
> --
> Regards,
> MZeeshan
>|||Thanks!
Anyone? any other ideas?
--
Regards,
MZeeshan
"ChrisR" wrote:
> At my last company, I didnt have admin rights... just SA. 90% of the time
> it was fine. The other 10% it sucked. Common things I needed someone to hold
> my hand on were:
> 1. Service restarts.
> 2. Hotfix/ service packs.
> 3. Set up stuff like Log Shipping where directory access is needed.
> 4. Wanting to just see how much disk space I had left on my backup drive.
> 5. Replication Snapshot.
> I know you already mentioned alot of these. The problem is that when the DBA
> needs these things, alot of time he needs them NOW. Not once he can have
> someone come to his desk and log in as Admin. But like I said, 90% of the
> time it was fine and I actually would prefer it. SA is usually good enough.
> Any less than SA and a DBA cant get his work done.
>
> "MZeeshan" <mzeeshan@.community.nospam> wrote in message
> news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
> > Previously, DBAs in our company used to have local machine administrator
> > access on the SQL Server boxes. As part of tightening server security,
> > those
> > rights have been taken away from DBAs (in some cases they have been added
> > to
> > 'Power Users' group).
> >
> > In order to install SQL Server, the account need to be a local machine
> > administrator (that's given otherwise installation gives error).
> >
> > But, what type of minimal rights should be given to DBAs on the server
> > resources to let that person function properly?
> >
> > When I am talking about resources, I mean rights to write to specific
> > directories like
> > * SQL Server programs/tools
> > * Common DLLs (in C:\Program files\common files...)
> > * Local backup directories
> > * Directory for snapshot/transactional replication transfer data.
> >
> > And right to execute programs/utilities on the server like
> >
> > * Perfmon (for system tuning/performance monitoring)
> > * Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
> > dependencies).
> >
> > Is there anything that is not needed here or, alternatively, is there
> > anything that I missed?
> >
> > Another dimension of this issue is the OS login access that is needed to
> > run
> > the SQL Server services (needed for remote backups and replication).
> >
> > Any help will be greatly appreciated!
> >
> > --
> > Regards,
> > MZeeshan
> >
>
>|||Hi MZeeshan,
If you need OS login access that is needed to run the SQL Server services
(needed for remote backups and replication). I think give DBA local
administrator privilege is necessary.
BTW, you are recommanded using the tools below to ensure the security of
your product server.
Best Practices Analyzer Tool for Microsoft SQL Server 2000 1.0
http://www.microsoft.com/downloads/details.aspx?displayla%20ng=en&familyid=B
352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
Since this is a consultation type issue, you can contact Advisory Services
(AS) . Microsoft Advisory Services provides short-term advice and guidance
for problems not covered by Problem Resolution Service as well as requests
for consultative assistance for design, development and deployment issues.
You may call this number to get Advisory Services: (800) 936-5200.
Sincerely yours,
Michael Cheng
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
access on the SQL Server boxes. As part of tightening server security, those
rights have been taken away from DBAs (in some cases they have been added to
'Power Users' group).
In order to install SQL Server, the account need to be a local machine
administrator (that's given otherwise installation gives error).
But, what type of minimal rights should be given to DBAs on the server
resources to let that person function properly?
When I am talking about resources, I mean rights to write to specific
directories like
* SQL Server programs/tools
* Common DLLs (in C:\Program files\common files...)
* Local backup directories
* Directory for snapshot/transactional replication transfer data.
And right to execute programs/utilities on the server like
* Perfmon (for system tuning/performance monitoring)
* Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
dependencies).
Is there anything that is not needed here or, alternatively, is there
anything that I missed?
Another dimension of this issue is the OS login access that is needed to run
the SQL Server services (needed for remote backups and replication).
Any help will be greatly appreciated!
--
Regards,
MZeeshanAt my last company, I didnt have admin rights... just SA. 90% of the time
it was fine. The other 10% it sucked. Common things I needed someone to hold
my hand on were:
1. Service restarts.
2. Hotfix/ service packs.
3. Set up stuff like Log Shipping where directory access is needed.
4. Wanting to just see how much disk space I had left on my backup drive.
5. Replication Snapshot.
I know you already mentioned alot of these. The problem is that when the DBA
needs these things, alot of time he needs them NOW. Not once he can have
someone come to his desk and log in as Admin. But like I said, 90% of the
time it was fine and I actually would prefer it. SA is usually good enough.
Any less than SA and a DBA cant get his work done.
"MZeeshan" <mzeeshan@.community.nospam> wrote in message
news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
> Previously, DBAs in our company used to have local machine administrator
> access on the SQL Server boxes. As part of tightening server security,
> those
> rights have been taken away from DBAs (in some cases they have been added
> to
> 'Power Users' group).
> In order to install SQL Server, the account need to be a local machine
> administrator (that's given otherwise installation gives error).
> But, what type of minimal rights should be given to DBAs on the server
> resources to let that person function properly?
> When I am talking about resources, I mean rights to write to specific
> directories like
> * SQL Server programs/tools
> * Common DLLs (in C:\Program files\common files...)
> * Local backup directories
> * Directory for snapshot/transactional replication transfer data.
> And right to execute programs/utilities on the server like
> * Perfmon (for system tuning/performance monitoring)
> * Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
> dependencies).
> Is there anything that is not needed here or, alternatively, is there
> anything that I missed?
> Another dimension of this issue is the OS login access that is needed to
> run
> the SQL Server services (needed for remote backups and replication).
> Any help will be greatly appreciated!
> --
> Regards,
> MZeeshan
>|||Thanks!
Anyone? any other ideas?
--
Regards,
MZeeshan
"ChrisR" wrote:
> At my last company, I didnt have admin rights... just SA. 90% of the time
> it was fine. The other 10% it sucked. Common things I needed someone to hold
> my hand on were:
> 1. Service restarts.
> 2. Hotfix/ service packs.
> 3. Set up stuff like Log Shipping where directory access is needed.
> 4. Wanting to just see how much disk space I had left on my backup drive.
> 5. Replication Snapshot.
> I know you already mentioned alot of these. The problem is that when the DBA
> needs these things, alot of time he needs them NOW. Not once he can have
> someone come to his desk and log in as Admin. But like I said, 90% of the
> time it was fine and I actually would prefer it. SA is usually good enough.
> Any less than SA and a DBA cant get his work done.
>
> "MZeeshan" <mzeeshan@.community.nospam> wrote in message
> news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
> > Previously, DBAs in our company used to have local machine administrator
> > access on the SQL Server boxes. As part of tightening server security,
> > those
> > rights have been taken away from DBAs (in some cases they have been added
> > to
> > 'Power Users' group).
> >
> > In order to install SQL Server, the account need to be a local machine
> > administrator (that's given otherwise installation gives error).
> >
> > But, what type of minimal rights should be given to DBAs on the server
> > resources to let that person function properly?
> >
> > When I am talking about resources, I mean rights to write to specific
> > directories like
> > * SQL Server programs/tools
> > * Common DLLs (in C:\Program files\common files...)
> > * Local backup directories
> > * Directory for snapshot/transactional replication transfer data.
> >
> > And right to execute programs/utilities on the server like
> >
> > * Perfmon (for system tuning/performance monitoring)
> > * Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
> > dependencies).
> >
> > Is there anything that is not needed here or, alternatively, is there
> > anything that I missed?
> >
> > Another dimension of this issue is the OS login access that is needed to
> > run
> > the SQL Server services (needed for remote backups and replication).
> >
> > Any help will be greatly appreciated!
> >
> > --
> > Regards,
> > MZeeshan
> >
>
>|||Hi MZeeshan,
If you need OS login access that is needed to run the SQL Server services
(needed for remote backups and replication). I think give DBA local
administrator privilege is necessary.
BTW, you are recommanded using the tools below to ensure the security of
your product server.
Best Practices Analyzer Tool for Microsoft SQL Server 2000 1.0
http://www.microsoft.com/downloads/details.aspx?displayla%20ng=en&familyid=B
352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
Since this is a consultation type issue, you can contact Advisory Services
(AS) . Microsoft Advisory Services provides short-term advice and guidance
for problems not covered by Problem Resolution Service as well as requests
for consultative assistance for design, development and deployment issues.
You may call this number to get Advisory Services: (800) 936-5200.
Sincerely yours,
Michael Cheng
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Minimum level of rights for a SQL Server DBA.
Previously, DBAs in our company used to have local machine administrator
access on the SQL Server boxes. As part of tightening server security, those
rights have been taken away from DBAs (in some cases they have been added to
'Power Users' group).
In order to install SQL Server, the account need to be a local machine
administrator (that's given otherwise installation gives error).
But, what type of minimal rights should be given to DBAs on the server
resources to let that person function properly?
When I am talking about resources, I mean rights to write to specific
directories like
* SQL Server programs/tools
* Common DLLs (in C:\Program files\common files...)
* Local backup directories
* Directory for snapshot/transactional replication transfer data.
And right to execute programs/utilities on the server like
* Perfmon (for system tuning/performance monitoring)
* Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
dependencies).
Is there anything that is not needed here or, alternatively, is there
anything that I missed?
Another dimension of this issue is the OS login access that is needed to run
the SQL Server services (needed for remote backups and replication).
Any help will be greatly appreciated!
Regards,
MZeeshanAt my last company, I didnt have admin rights... just SA. 90% of the time
it was fine. The other 10% it sucked. Common things I needed someone to hold
my hand on were:
1. Service restarts.
2. Hotfix/ service packs.
3. Set up stuff like Log Shipping where directory access is needed.
4. Wanting to just see how much disk space I had left on my backup drive.
5. Replication Snapshot.
I know you already mentioned alot of these. The problem is that when the DBA
needs these things, alot of time he needs them NOW. Not once he can have
someone come to his desk and log in as Admin. But like I said, 90% of the
time it was fine and I actually would prefer it. SA is usually good enough.
Any less than SA and a DBA cant get his work done.
"MZeeshan" <mzeeshan@.community.nospam> wrote in message
news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
> Previously, DBAs in our company used to have local machine administrator
> access on the SQL Server boxes. As part of tightening server security,
> those
> rights have been taken away from DBAs (in some cases they have been added
> to
> 'Power Users' group).
> In order to install SQL Server, the account need to be a local machine
> administrator (that's given otherwise installation gives error).
> But, what type of minimal rights should be given to DBAs on the server
> resources to let that person function properly?
> When I am talking about resources, I mean rights to write to specific
> directories like
> * SQL Server programs/tools
> * Common DLLs (in C:\Program files\common files...)
> * Local backup directories
> * Directory for snapshot/transactional replication transfer data.
> And right to execute programs/utilities on the server like
> * Perfmon (for system tuning/performance monitoring)
> * Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
> dependencies).
> Is there anything that is not needed here or, alternatively, is there
> anything that I missed?
> Another dimension of this issue is the OS login access that is needed to
> run
> the SQL Server services (needed for remote backups and replication).
> Any help will be greatly appreciated!
> --
> Regards,
> MZeeshan
>|||Thanks!
Anyone? any other ideas?
--
Regards,
MZeeshan
"ChrisR" wrote:
> At my last company, I didnt have admin rights... just SA. 90% of the time
> it was fine. The other 10% it sucked. Common things I needed someone to ho
ld
> my hand on were:
> 1. Service restarts.
> 2. Hotfix/ service packs.
> 3. Set up stuff like Log Shipping where directory access is needed.
> 4. Wanting to just see how much disk space I had left on my backup drive.
> 5. Replication Snapshot.
> I know you already mentioned alot of these. The problem is that when the D
BA
> needs these things, alot of time he needs them NOW. Not once he can have
> someone come to his desk and log in as Admin. But like I said, 90% of the
> time it was fine and I actually would prefer it. SA is usually good enough
.
> Any less than SA and a DBA cant get his work done.
>
> "MZeeshan" <mzeeshan@.community.nospam> wrote in message
> news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
>
>|||Hi MZeeshan,
If you need OS login access that is needed to run the SQL Server services
(needed for remote backups and replication). I think give DBA local
administrator privilege is necessary.
BTW, you are recommanded using the tools below to ensure the security of
your product server.
Best Practices Analyzer Tool for Microsoft SQL Server 2000 1.0
http://www.microsoft.com/downloads/...g=en&familyid=B
352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
Since this is a consultation type issue, you can contact Advisory Services
(AS) . Microsoft Advisory Services provides short-term advice and guidance
for problems not covered by Problem Resolution Service as well as requests
for consultative assistance for design, development and deployment issues.
You may call this number to get Advisory Services: (800) 936-5200.
Sincerely yours,
Michael Cheng
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
=============
This posting is provided "AS IS" with no warranties, and confers no rights.
access on the SQL Server boxes. As part of tightening server security, those
rights have been taken away from DBAs (in some cases they have been added to
'Power Users' group).
In order to install SQL Server, the account need to be a local machine
administrator (that's given otherwise installation gives error).
But, what type of minimal rights should be given to DBAs on the server
resources to let that person function properly?
When I am talking about resources, I mean rights to write to specific
directories like
* SQL Server programs/tools
* Common DLLs (in C:\Program files\common files...)
* Local backup directories
* Directory for snapshot/transactional replication transfer data.
And right to execute programs/utilities on the server like
* Perfmon (for system tuning/performance monitoring)
* Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
dependencies).
Is there anything that is not needed here or, alternatively, is there
anything that I missed?
Another dimension of this issue is the OS login access that is needed to run
the SQL Server services (needed for remote backups and replication).
Any help will be greatly appreciated!
Regards,
MZeeshanAt my last company, I didnt have admin rights... just SA. 90% of the time
it was fine. The other 10% it sucked. Common things I needed someone to hold
my hand on were:
1. Service restarts.
2. Hotfix/ service packs.
3. Set up stuff like Log Shipping where directory access is needed.
4. Wanting to just see how much disk space I had left on my backup drive.
5. Replication Snapshot.
I know you already mentioned alot of these. The problem is that when the DBA
needs these things, alot of time he needs them NOW. Not once he can have
someone come to his desk and log in as Admin. But like I said, 90% of the
time it was fine and I actually would prefer it. SA is usually good enough.
Any less than SA and a DBA cant get his work done.
"MZeeshan" <mzeeshan@.community.nospam> wrote in message
news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
> Previously, DBAs in our company used to have local machine administrator
> access on the SQL Server boxes. As part of tightening server security,
> those
> rights have been taken away from DBAs (in some cases they have been added
> to
> 'Power Users' group).
> In order to install SQL Server, the account need to be a local machine
> administrator (that's given otherwise installation gives error).
> But, what type of minimal rights should be given to DBAs on the server
> resources to let that person function properly?
> When I am talking about resources, I mean rights to write to specific
> directories like
> * SQL Server programs/tools
> * Common DLLs (in C:\Program files\common files...)
> * Local backup directories
> * Directory for snapshot/transactional replication transfer data.
> And right to execute programs/utilities on the server like
> * Perfmon (for system tuning/performance monitoring)
> * Services (starting/stopping MSSQLSERVER/SQL Agent esp. if there are
> dependencies).
> Is there anything that is not needed here or, alternatively, is there
> anything that I missed?
> Another dimension of this issue is the OS login access that is needed to
> run
> the SQL Server services (needed for remote backups and replication).
> Any help will be greatly appreciated!
> --
> Regards,
> MZeeshan
>|||Thanks!
Anyone? any other ideas?
--
Regards,
MZeeshan
"ChrisR" wrote:
> At my last company, I didnt have admin rights... just SA. 90% of the time
> it was fine. The other 10% it sucked. Common things I needed someone to ho
ld
> my hand on were:
> 1. Service restarts.
> 2. Hotfix/ service packs.
> 3. Set up stuff like Log Shipping where directory access is needed.
> 4. Wanting to just see how much disk space I had left on my backup drive.
> 5. Replication Snapshot.
> I know you already mentioned alot of these. The problem is that when the D
BA
> needs these things, alot of time he needs them NOW. Not once he can have
> someone come to his desk and log in as Admin. But like I said, 90% of the
> time it was fine and I actually would prefer it. SA is usually good enough
.
> Any less than SA and a DBA cant get his work done.
>
> "MZeeshan" <mzeeshan@.community.nospam> wrote in message
> news:CD58C09D-1874-46A3-AA05-344727CA35F3@.microsoft.com...
>
>|||Hi MZeeshan,
If you need OS login access that is needed to run the SQL Server services
(needed for remote backups and replication). I think give DBA local
administrator privilege is necessary.
BTW, you are recommanded using the tools below to ensure the security of
your product server.
Best Practices Analyzer Tool for Microsoft SQL Server 2000 1.0
http://www.microsoft.com/downloads/...g=en&familyid=B
352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
Since this is a consultation type issue, you can contact Advisory Services
(AS) . Microsoft Advisory Services provides short-term advice and guidance
for problems not covered by Problem Resolution Service as well as requests
for consultative assistance for design, development and deployment issues.
You may call this number to get Advisory Services: (800) 936-5200.
Sincerely yours,
Michael Cheng
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
========================================
=============
This posting is provided "AS IS" with no warranties, and confers no rights.
Minimum AD Rights for LAN Based RS
I understand that one must have certain rights in their role as publisher in
reporting services.
Does anyone know the minimum rights needed to allow a developer to publish
reports? Must they have domain admin rights.
Win 2000 Server running SQL server 2000 and RS on a domain.
Thank you in advance.
P.S. I was hoping to not have to give full Administrator rights to publish
reports.
RichExcept for the fact that members of the local administrators group (note
that I say local) has admin rights to RS, there is no correlation between
the rights / groups someone is in as a member of the domain. Because the
domain adminstrator group is usually a member of the local administrators
group this looks the same. Note that you can definitely give rights to any
domain group you want or to individual users. RS operates based on the role
that the user or group has been given rights to. What I do is create a local
group and then to that group I add the domain groups and users that I want
to have rights. I do this just because it is such a pain to create and
manage a domain group but it can work either way. Here are the roles that
you can assign to a user/group:
Browser May view folders, reports and subscribe to
reports.
Content Manager May manage content in the Report Server. This
includes folders, reports and resources.
My Reports May publish reports and linked reports; manage
folders, reports and resources in a users My Reports folder.
Publisher May publish reports and linked reports to the
Report Server.
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Rich" <rwatson@.brick.net> wrote in message
news:uR60h1MfFHA.3912@.tk2msftngp13.phx.gbl...
>I understand that one must have certain rights in their role as publisher
>in reporting services.
> Does anyone know the minimum rights needed to allow a developer to publish
> reports? Must they have domain admin rights.
> Win 2000 Server running SQL server 2000 and RS on a domain.
> Thank you in advance.
> P.S. I was hoping to not have to give full Administrator rights to publish
> reports.
> Rich
>sql
reporting services.
Does anyone know the minimum rights needed to allow a developer to publish
reports? Must they have domain admin rights.
Win 2000 Server running SQL server 2000 and RS on a domain.
Thank you in advance.
P.S. I was hoping to not have to give full Administrator rights to publish
reports.
RichExcept for the fact that members of the local administrators group (note
that I say local) has admin rights to RS, there is no correlation between
the rights / groups someone is in as a member of the domain. Because the
domain adminstrator group is usually a member of the local administrators
group this looks the same. Note that you can definitely give rights to any
domain group you want or to individual users. RS operates based on the role
that the user or group has been given rights to. What I do is create a local
group and then to that group I add the domain groups and users that I want
to have rights. I do this just because it is such a pain to create and
manage a domain group but it can work either way. Here are the roles that
you can assign to a user/group:
Browser May view folders, reports and subscribe to
reports.
Content Manager May manage content in the Report Server. This
includes folders, reports and resources.
My Reports May publish reports and linked reports; manage
folders, reports and resources in a users My Reports folder.
Publisher May publish reports and linked reports to the
Report Server.
Bruce Loehle-Conger
MVP SQL Server Reporting Services
"Rich" <rwatson@.brick.net> wrote in message
news:uR60h1MfFHA.3912@.tk2msftngp13.phx.gbl...
>I understand that one must have certain rights in their role as publisher
>in reporting services.
> Does anyone know the minimum rights needed to allow a developer to publish
> reports? Must they have domain admin rights.
> Win 2000 Server running SQL server 2000 and RS on a domain.
> Thank you in advance.
> P.S. I was hoping to not have to give full Administrator rights to publish
> reports.
> Rich
>sql
Monday, March 19, 2012
min rights required to schedule a sql server job
Hello,
I need to create a user that can schedule jobs. I cannot use the 'sa' account.
What rights should I assign this user?
Michael
Michael,
You need a user that is a memeber of SQLAgentUserRole database role in msdb database.
You can read more about that in BOL topics:
"How to: Configure a User to Create and Manage SQL Server Agent Jobs"
"Security for SQL Server Agent Administration"
Regards,
|||Here is the link to the Books Online topic for SQL Server Agent security: http://msdn2.microsoft.com/en-us/library/ms190978.aspx
Cheers,
Dan
min rights required to schedule a sql server job
Hello,
I need to create a user that can schedule jobs. I cannot use the 'sa' account.
What rights should I assign this user?
Michael
Michael,
You need a user that is a memeber of SQLAgentUserRole database role in msdb database.
You can read more about that in BOL topics:
"How to: Configure a User to Create and Manage SQL Server Agent Jobs"
"Security for SQL Server Agent Administration"
Regards,
|||Here is the link to the Books Online topic for SQL Server Agent security: http://msdn2.microsoft.com/en-us/library/ms190978.aspx
Cheers,
Dan
Subscribe to:
Posts (Atom)