May 23, 2008 at 2:03 am
I have been changing the accounts that the SQL Service / SQl Agent Services use to start - from Local System to an Active Directory domain account with limited priveleges.
To get this to work, I had to stop the service, add the account to the local server Administrators group, change the startup accounts and have this account as a SQL SQL Server SysAdmin. If I then remove the new account from the local server Administrators group it still works. Having done this before I don't remember having to do all this. Instead, I just simply assigned the new login and resarted the services.
Also, when I select the Deny option for the BUILTIN\Administartors login, I cannot Windows Authenticate from a remote machine, despite having a generic AD SQL DBA Group assigned as a System Admin on the SQL Server which I am a member?
I'm confused. What exactly does the AD account have to be a member of and what priveleges does it need within SQL Server itself.
I'm trying to keep this a simple as possible.
Thanks in advance
Steve
May 23, 2008 at 6:34 am
I have now fixed this. The generic DBA account was in the BUILTIN\Administrators login which I had denied (as a test). This was taking precedence. When I fully deleted this account it worked.
One more question, when I use the new domain account to start SQL Agent, and this account is not a SQL SysAdmin it won't start. When I add it it does start (after which I then remove it!). I thought it only needs to be a SysAdmin if you flag the service to Auto Restart?
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply