June 12, 2012 at 8:47 pm
Hi ,
I am planning a installation for a 2 node sql server 2008 cluster . I do not want to grant the sql server service account to the local admin in each of the node and i also do not want to add the cluster security policy group into the local admin group.
in standalone machine , i use to add the below group policy to the service account without granting the service account to local admin , and also using psexec -i -s to run the installation under local system context (so that i do not need to grant sedebugprivilege to the service account) , and it works.
ntrights +r SeManageVolumePrivilege -u xxxxxxxx
ntrights +r SeBatchLogonRight -u xxxxxxxx
ntrights +r SeServiceLogonRight -u xxxxxxxx
ntrights +r SeAssignPrimaryTokenPrivilege -u xxxxxxxx
ntrights +r SeIncreaseQuotaPrivilege -u xxxxxxxx
ntrights +r SeChangeNotifyPrivilege -u xxxxxxxx
Anyone have experience to install a SQL SERVER CLUSTER without granting service account to local admin group and also not granting the service account to SeDebugPrivillege local group policy ??? Please share
June 13, 2012 at 10:01 am
I'm a little unsure at your method of install. It appears as though you are logging in with the service account and then doing the install that way.
For any SQL deployment (including clusters) I log in with my own domain account and perform the installation. I add the service account at the required step and then let the install manage how the account gets provisioned.
The SQL service account is not an administrator on any of my SQL Servers
The only manual intervention with security is to allow Lock Pages in Memory and Perform Volume Maintenance Tasks.
June 13, 2012 at 10:12 am
Is your own domain account have a domain admin rights ? or own local administrator rights in both of the cluster node ?
June 13, 2012 at 10:21 am
My domain account is an administrator on the server only. I do not have domain admin permissions.
The computer object for the virtual SQL instance gets pre-created (and disabled) in active directory and the object has full permissions granted on it to the cluster computer account. This means that no special permissions are required in AD to support the deployment.
June 14, 2012 at 2:58 am
FineBuild can do an unattended SQL Server install of a cluster for you. Its security model is that no account, apart from the account running the install, needs local admin rights.
The account running the cluster install will also need the 'add workstation to domain' priviledge. This can be granted on a one-off basis, but the lowest-priviledge built-in domain group with this right is Account Operator.
The FineBuild Reference Manual has more details about the Cluster install process.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply