March 8, 2007 at 11:26 am
Hi,
In the MSSQL folder (windows explorer), under the security tab I see this group or username: SQLServer2005MSSQLUser$ComputerName$MSSQLSERVER
Why is this there and what will happen if this is deleted when using xcacls.vbs for folder/file permissions.
Thanx.
March 9, 2007 at 5:56 am
SQL 2005 creates a number of local groups during the install process. BOL has the full details of this. They hold the service accounts used to run the various SQL services.
I have looked at deleting these groups but have decided against it. If you look in the SQL portion of the registry, you will references to the SIDs of some groups, the names of others, and prefixes for the rest.
There is no Microsoft or newsgroup documentation on what impact there will be on SQL if the groups are deleted. If anything does break, Microsoft may well ask you to reproduce the problem using a standard environment (with the groups) before they can properly support you. We have a regulatory requirement to use vendor-supported software, so for us the groups have to stay.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
March 23, 2007 at 3:06 am
I also see these groups. I would like to replace them with domain groups (instead of local) is this possible and if yes - how?
Thanks.
PS. what is "BOL"?
March 24, 2007 at 12:49 pm
BOL = Books Online.
As to whether or not you can replace them? No. You should not. If you want to use domain groups, leave the local groups in place and grant similar rights to your domain groups.
K. Brian Kelley
@kbriankelley
March 24, 2007 at 12:54 pm
Hello Brian, thanks for the answer.
The trouble is as follows - I have a NAS storage which is a part of an Active Directory forest.
When I try to create data files with SQL 2005 (SQL 2000 works fine) - I get permission denied even if I grant Full Control to Everyone. After resorting to a network sniffer, I found out that when SQL2005 tries to create the files, it tries to give permissions to the local group (the SQLServer2005MSSQLUser$ComputerName$MSSQLSERVER one) and because its SID is unknown to the ActiveDirectory, our NAS rejects it - that's why I want to use domain groups instead of local ones. Does anybody have any suggestions?
EDIT: I should mention that I am using a domain user.
March 24, 2007 at 3:11 pm
Unfortunately, I don't think you can change the way SQL Server 2005 sets up itself. Typically, though, SQL Server is setup where the drives appear locally to the server where SQL Server is running. Do you not have an option of doing that?
K. Brian Kelley
@kbriankelley
March 24, 2007 at 3:16 pm
Nope, I have to use the NAS. If I set the NAS to ignore security - everything works fine, but that's a major hole, so it is not an option. And I find it very annoying that SQL2000 used to work fine with this setup and 2005 doesn't.
March 24, 2007 at 5:37 pm
You may have to end up contacting Microsoft Support. I believe it'll continue to be a problem, especially since I think it resets the permissions on the database files when they get created to use those local groups.
K. Brian Kelley
@kbriankelley
March 25, 2007 at 11:36 am
Already did that, I was just hoping for quicker turnaround, because everyone's (including MS) support structure is glacial with regards to speed...
EDIT: Creating the files locally and the detaching, moving, and reattaching the DB with the new location works, but it is just a workaround.
March 26, 2007 at 2:31 am
I registered a request with Microsoft that it should be possible during the install to specify the groups that SQL Server uses. The response was 'This will be considered for a future release'. I think the workaround you posted of moving the database files post-install is the best you will get in a NAS environment.
If you get a fix for SQL 2005, please let the community know.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
September 30, 2007 at 6:31 am
Hi there i installed sql 2005 a month ago i also noticed all these new accounts but we use ad and have specific account i.e SQL
I remember somewhere in the install i told it not to use the preset ones but use domain\sql for all services.....
Hope that helps.
December 22, 2008 at 10:58 am
You can use 'domain groups' ONLY in case of clusters.
thx
vj
November 6, 2013 at 7:21 pm
The SQL Server 2005 installation creates these group accounts. You can find them adn their descriptions, members, and properties in Administrative Tools > Computer Management > Local Users and Groups > Groups
SQLServer2005MSFTEUser is for access to SQL Server and SQL Server FullText Search
SQLServer2005MSSQLUser is for access to SQL Server and SQL Server FullText Search
SQLServer2005SQLAgentUser is for access to SQL Server Agent
Based on my installation and environment, each group should contain
a) the account used to run SQL services
b) NT AUTHORITY\SYSTEM
Based on my installation and environment, the accounts are given various permissions on the directory and subdirectories to which SQL Server 2005 was installed, such as <install drive>:\Microsoft SQL Server.
For example, SQLServer2005MSSQLUser is given Full Control of D:\Microsoft SQL Server\MSSQL.2\Data\
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply