November 7, 2002 at 9:44 am
Ok, I have read many articles on this topic, spread out all over the place but I still haven't come to a conclusion so I thought I would post my question directly to get some feedback.
Should the SQL Server service account be a LOCAL administrator on the SQL Server server?
All of our service accounts are domain accounts, for network access, but I can't make up my mind locally.
Please give me your answers and why.
Thanks!
----------------------------------------------------------01010011010100010100110000100000010100110110010101110010011101100110010101110010001000000101001001101111011000110110101101110011
November 7, 2002 at 9:49 am
We have set up SQL Server services to use DOMAIN accounts. Here is why:
1) We want SQL Server to interface with Exchange to sent mail, and need a domain account to access the exchange mailbox associated with SQL Server.
2) We want to be able to connect to network drives via a UNC name to ship database backups off SQL Server to another machine.
Hope this is useful.
Gregory Larsen, DBA
If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples
Gregory A. Larsen, MVP
November 7, 2002 at 9:50 am
Have you checked into the package object to see if you is some method that might be useful.
Gregory Larsen, DBA
If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples
Gregory A. Larsen, MVP
November 7, 2002 at 9:51 am
Sorry if I didn't make myself clear. I am using a DOMAIN account. My question is:
Should I make this DOMAIN account part of the local Administrators group on my SQL Server server?
----------------------------------------------------------01010011010100010100110000100000010100110110010101110010011101100110010101110010001000000101001001101111011000110110101101110011
November 7, 2002 at 9:53 am
Oh. In our shop the DOMAIN account is in the local admin group, although I'm not sure we have give much thought to why.
Gregory Larsen, DBA
If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples
Gregory A. Larsen, MVP
November 7, 2002 at 9:53 am
quote:
Have you checked into the package object to see if you is some method that might be useful.Gregory Larsen, DBA
If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples
Again, I'm sorry, but I don't understand this response.
----------------------------------------------------------01010011010100010100110000100000010100110110010101110010011101100110010101110010001000000101001001101111011000110110101101110011
November 7, 2002 at 11:31 am
You're going to get different responses to this question because there isn't necessarily a "one size fits all" answer; the answer depends upon what you want SQL Server to be able to do and what security policies your Company has in place.
Strictly speaking, SQL Server's service account does not need to be a member of the Administrators local group, but there are certain privileges that it does need to have on the machine. These are enumerated in the article "Setting up Windows Services Accounts" in the Installing SQL Server book in Books Online. Briefly, SQL Server needs to be able to:
You can easily grant the majority of these permissions by making the service account a member of the Administrators local group, but it is not a requirement; you can leave the service account as a normal user and manually enable these permissions, instead.
In addition to these privileges, the article lists some other privileges that are necessary if you expect certain functionality from SQL Server, such as the ability to use xp_cmdshell, or the ability to manipulate Active Directory objects. Some of this functionality requires that the service account be a member of Power Users or Administrators, while some simply requires that you add additional privileges to the service account. But these are not requirements for SQL Server to function normally; they are only requirements if you expect to use additional functionality.
So, in summary: the service account does not have to be a member of the Administrators local group, but there are certain permissions that it needs, and for sake of making it easy on themselves, many DBAs grant these privileges to the service account by making it a member of the Administrators group, but you don't have to do that; you can grant the privileges manually. There is some functionality that will require the service to be a member of a specific local group (either Power Users or Administrators), but if you aren't using that functionality, then - again - you don't need to put the service account in such a group. Ultimately, you make the decision what path you want to follow.
For more information, I again refer you to the article I mentioned above in Books Online.
Matthew Burr
November 22, 2002 at 8:25 am
Hello, people.
This article can be interesting: http://www.microsoft.com/SQL/techinfo/administration/70/securityWP.asp. See "service accounts" section.
Regards.
________________________________
Marcelo L Guimaraes
InterOp Integradora de Sistemas
Porto Alegre, Brasil
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply