Policy Based Management SQL 2008 R2

  • I am creating a list of policy that need to enforce my environment .

    One of the security requirement in the list is the SQL service account cannot exits in the local admin group.

    xp_cmdshell is disable in the CMS servers. By using windows command : net localgroup Administrators , i manage to get a list of local admin account name, but how do it input this as my policy condition ?

  • the reason to create this policy is to ensure the sql service account is not the local admin group members.

    I do some research and found WMi can use to retrieve the local administrator with below statement

    ExecuteWql ('STRING', 'root\CIMV2', 'select name from win32_UserAccount where LocalAccount = ''TRUE'' and name like String(@EngineServiceAccount) ' )

    However i hit the error : Invalid query (system.Management)

    can anyone familiar with the syntax point out my error .

    the @engineServiceAccount is one of the facet properties.

  • I can recreate the issue using the "Server Installation Settings" facet. I can use the ExecuteWql function using the "Server Information" facet however @EngineServiceAccount is not a property of that facet.

    What version of SQL Server are you running?

    I found this bug report that was marked fixed but it does not say which build.

    http://connect.microsoft.com/SQLServer/feedback/details/640369/executewql-in-policy-based-management-does-not-execute-against-some-facets

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply