Test

Question

Test

Carl Rimmer

SSCarpal Tunnel

Points: 4068
More actions
March 24, 2005 at 3:12 pm

#88447

Can someone remind me what permissions I need to set to enable a local administrator to run the SQL Server and SQL Server Agent Services?
We currently have our new test server running the services using the local system account but I have read that this account is inappropriate to use.
Thanks
Carl

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply

Jim P. SSCrazy Eights Points: 8725 More actions · Answer 1

You need either a local or domain user that has local adminsitrative rights on the server the service is going to run on.

In addition, if using mixed mode authentication, and expecting to read/write data/files onto the network the userid then also needs appropriate permissions to those recources on the network.

----------------
Jim P.

A little bit of this and a little byte of that can cause bloatware.

K. Brian Kelley SSC Guru Points: 114642 More actions · Answer 2

Local administrative rights are not necessary and unless there is a business or functional reason as to why they should be there, it's generally advised against from a security perspective (Principle of Least Privilege).

If you're going to manually set permissions, here's what you need:

How to change the SQL Server or SQL Server Agent Service account without using SQL Enterprise Manager in SQL Server 2000 (283811)

As to the ramifications, in Books Online:

Installing SQL Server >> Overview of Installing SQL Server 2000 >> Setting up Window service accounts

K. Brian Kelley
@kbriankelley

Vidas Zabinskas Hall of Fame Points: 3258 More actions · Answer 3

Microsoft says:

"Using a dedicated user account means creating a domain user account that is used

solely for the SQL Server and SQL Server Agent services. This domain user

account should be configured with the Password Never Expires option. The domain

user account you create needs certain special access rights on the local computer,

but does not need to be a member of the Administrators local group and does not

need to be a domain administrator. These special access rights include the right to

log on as a service, the right to access and change the SQL Server folder, the right

to access and change database files, and read and write access to certain keys in the

Windows registry. The SQL Server 2000 Setup program grants these rights automatically

to the domain user account you specify. Certain additional rights might

be required for specific tasks, such as performing certain types of jobs or registering

your SQL Server 2000 installation with Active Directory directory services."

Jim P. SSCrazy Eights Points: 8725 More actions · Answer 4

Yeahh, Yeah, my bad.....

But if I read the above correctly "The SQL Server 2000 Setup program grants these rights automatically" you need to re-run the setup as opposed to just editing the service.

I'm probably wrong on that too. I just did a quick reply yesterday. (And didn't have much coffe in me yet.)

----------------
Jim P.

A little bit of this and a little byte of that can cause bloatware.

K. Brian Kelley SSC Guru Points: 114642 More actions · Answer 5

Going through SQL Server Enterprise Manager and changing the service account using that tool usually gets all of these rights set correctly. So running setup again is not necessary.

K. Brian Kelley
@kbriankelley

Jim P. SSCrazy Eights Points: 8725 More actions · Answer 6

Ahhhh.....that explains it.

I've gotten used to just stopping the services, changing the userid, and then starting the services.

My shortcuts have led to errors in my perceptions.

As he goes off muttering bad boy, you should know better...

----------------
Jim P.

A little bit of this and a little byte of that can cause bloatware.