October 27, 2005 at 8:23 am
What are the pros and cons of having the Agent login to the database as the SA rather than a system account? FYI: The Agent service is loging on to the OS with a domain admin user id.
October 31, 2005 at 8:00 am
This was removed by the editor as SPAM
October 31, 2005 at 12:44 pm
Best Practice says to use Domain Account for the SQLAgent Service. Some even have an issue between the DB Server and SQL Agent services.
The PROS of using a 'sa' priviledge account is that you can perform specific sysadmin-only actions within your SQL Server instance... i.e in DTS, when running the Bulk Insert task, only members of the sysadmin fixed server role can execute the package. This is one of dozens of actions this account could take if it was granted sysadmin access.
The CON is that if the account is "exposed" to other areas/people in your business, they have access via proxy by using the account for their purposes.... This is a significant CON!
Personnally, I believe that as long as the account is managed such that only the support personnel have access to it, it is manageable.
We have our account granted sysadmin access to perform actions against the databases on our instances that require sysadmin. For the most part, I have recommended to other businesses to do the same, as long as the business (and Technical security) requirements permit.
Good Luck
Eddy White, DBA
October 31, 2005 at 1:57 pm
Thanks, I had not thought of that.
Here is some additional info I found since I posted this.
I found out why it is this way at the new DBA job, the domain admin has been taken out of the SQL Server admin group. Apparently domain admins were getting into the database and messing stuff up before I got here. I have a domain admin account I use to do things so I can limit support people from deleting the backups, only way I could enforce it, and I have only been here 3 weeks.
October 31, 2005 at 2:08 pm
In our setup, we do not permit Domain Admins sysadmin access. They do not have the expertice, the training and, besides, they have enough access across the enterprise.
We use 2 groups:
1. DBA - Granted sysadmin (DBA's by name - there are 4 of us)
2. SQLSYS - Windows group granted sysadmin (for our install per previous posting) these accounts are managed by us (per the graces of the Domain Admins using our own Organizational Unit in our Windows 2003 Active Directory) These accounts are for services-use only.
We work pretty close with the Domain Admins so that they can manage the security side of things for our backups etc. They are the experts, we just work with them to manage this on our behalf.
Hope this helps.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply