Post reply

Windows Permissions

  • July 18, 2006 at 6:20 am

    #61674

    I was wondering what level of permissions most DBA's have to their servers.

    Our Network Administrators will not allow us to be members of the local administrators group, which creates a number of headaches for us, not least not being able to stop & start SQL services, let alone installations, patches and performance monitoring.

    Does anyone else work under the same restrictions, or can you help me with more convincing arguments for DBAs being windows administrators on their servers.

  • July 18, 2006 at 7:30 am

    #649774

    our shop thinks of DBA's as two different categories....there's development DBA's, which only need access to the databases in order to create schemas, write procs,review other developers code, etc.. That role is as you describe; pretty much locked down to have just access to all data, but not the OS.

    then there is the administrative DBA, who creates backups,starts /stops the server, keeps the patches up to date,  tunes the server by creating partitions and moving indexes to file groups, tickles the SAN, etc. that role has local DBA rights, otherwise he couldn't do his job.

    if your job is the second, and the network admins think you are in the first role i mentioned, explain that to them; otherwise, make them in charge of all the implementations of the second role.

     

    Lowell

    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • July 18, 2006 at 9:33 am

    #649836

    You will be able to request the admin rights if you prove that you have the proper knowledge. I would (and I did) pass a  Windows 2003 server exam. In some cases I have to administer databases where I don't have admin access to the server due to regulations /business rules. In this case I plan all my work on these servers with the server admin so he/she will be sitting next to me when I am doing the maintenance or installations.

    Regards,Yelena Varsha

  • July 19, 2006 at 3:16 am

    #650036

    In our shop we run SQL using a local admin account, but DBAs all have general user account access.  You can use Windows permissioning to allow any account to start/stop services, which we have done. 

    We use GPOs to set the permissions to allow DBAs to start/stop SQL and some application services, look at the Windows System and Application event logs, and reboot the box.  We also have Full Control over the SQL registry keys, and other keys we need such as Litespeed.  File permissions are currently set by ACL scripting, but we plan to move this to GPOs later this year.  Your system admin people should understand GPOs, and be able to set this up for you.

    When we need to apply maintenance to SQL, we can request that a local admin account is unlocked.  We can use this to apply the SP or Hotfix, then the account gets disabled.

    Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.

    When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara

  • July 19, 2006 at 4:20 am

    #650044

    I think If you are DB-ADMIN on that machine (which makes you responsible for every heartbeat that machine does) then it sounds very logical that you should be localadmin on that machine. Within our company we DBA's have localadmin grant to all SQL-dedicated machines (but not others).

  • July 19, 2006 at 5:00 am

    #650054

    In some situations it can be frustrating to have to get a local admin account unlocked to allow me to do some work, but this is a very rare situation.  Over time we have added additional permissions via GPOs so that we can do our Production DBA work without the need for local admin.

    Most times I am very happy that we do not have local admin.  It means there are a shedload of possible problems where we can say 'Nothing to do with us'.  When we did have local admin, it used to be almost 50-50 if a DBA or a Infrastructure person had done something that broke a server.  Now that the DBAs no longer have local admin but the infrastrcture people still do, the split is about 20% - 80%.  OK - nobody should go around breaking machines, but shit happens and nowadays a lot less of it is caused by the DBA staff.

    Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.

    When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara

  • July 19, 2006 at 5:53 am

    #650064

    Well EdVassie you are right in some sense

    Sometimes you really want to get-rid of the extra load that are caused by sysadmin guys But if you do not have enough permissions that you need to complete what you are trying to do, then it is you know!

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply