August 9, 2011 at 1:50 am
Hi,
My infra guys are on vaccation.Before that, on my recommendation they removed sysadmin rights for a service account under which sql agent use to operate. Now, I need to assign minimum rights to this domain account so that the service is able to run. I gave this account 'log on as service' rights under 2008 policies but no luck.
Please share your inputs.
Thanks
Chandan
August 9, 2011 at 2:06 am
That sounds like a well planned change 🙂
The SQL Server Setup creates groups with the appropriate privileges, this article lists what those individual permissions are. Obviously it may also depend on what your SQL Server does as to whether any additional network permissions are required:
http://msdn.microsoft.com/en-us/library/ms143504.aspx#Review_NT_rights
August 9, 2011 at 2:32 am
You could check this link.
http://www.mssqltips.com/tip.asp?tip=2384
There are few more in the 'Next Steps' section, may be of use to you.
M&M
August 9, 2011 at 3:23 am
HowardW (8/9/2011)
That sounds like a well planned change 🙂The SQL Server Setup creates groups with the appropriate privileges, this article lists what those individual permissions are. Obviously it may also depend on what your SQL Server does as to whether any additional network permissions are required:
http://msdn.microsoft.com/en-us/library/ms143504.aspx#Review_NT_rights
this was a dev server and they removed the permissions overnight. I can shout a little at them for changing something overnight and then going on leave
August 9, 2011 at 3:26 am
mohammed moinudheen (8/9/2011)
You could check this link.http://www.mssqltips.com/tip.asp?tip=2384
There are few more in the 'Next Steps' section, may be of use to you.
Thanks but this just lists the reasons about 'why system account should not be used' .nothing much i found about windows level permissions.
August 9, 2011 at 3:27 am
HowardW (8/9/2011)
That sounds like a well planned change 🙂The SQL Server Setup creates groups with the appropriate privileges, this article lists what those individual permissions are. Obviously it may also depend on what your SQL Server does as to whether any additional network permissions are required:
http://msdn.microsoft.com/en-us/library/ms143504.aspx#Review_NT_rights
I have already given permissions to:
Log on as a service (SeServiceLogonRight)
Replace a process-level token (SeAssignPrimaryTokenPrivilege)
Bypass traverse checking (SeChangeNotifyPrivilege)
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
but this is not working.
August 9, 2011 at 6:56 am
Any solutions here?
August 9, 2011 at 8:10 am
That doesn't look like the full list referenced on the link I provided, but can't you just add the service account into the predefined local group that was created by the installer?
August 9, 2011 at 12:55 pm
You do not need to change the policy settings for this service account. What HowardW mentioned should be all you need to do. Here are the basic steps.
1. Just log in locally to the server
2. go to users and groups
3. add the user to the auto created sql group for sql agent called something like "SQLServer2008SQLAgentUser$ServerName$MSSQLSERVER"
4. add the user to any network shares used (ie. network backup folders)
That will do it.
Adam Durr
Remote DBA support
www.bluegecko.net
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply