Different domain accounts running job

  • Folks,

    We are looking to increase our security and one of the areas is the domain account that runs our jobs.  Is it possible to have different domain accounts run different jobs?  For example, I have Domain Account 1 and Domain Account 2 and each has rights to certain resources (file shares, databases, etc).  Suppose I have Job 1 and Job 2.  I want Domain Account 1 to run Job 1 and Domain Account 2 to run Job 2.  Is this possible?

    Any direction on this topic would be greatly appreciated.

     

  • Yes Lee. Each job can be owned and executed by different domain accounts with required privilage.

    Regards

    Utsab Chattopadhyay

  • Thank you for your reply.  Can you point me in the direction of how to do this?  My research has turned up nothing so far.  Also, I would assume when you setup a job, you must supply the domain account's password.  I would assume when this password changes, then the job must be touched to update the password that it was configured with.  Do you know of a way to automate the process of changing the password on the job using a script or something?

    Thanks again for your help.

  • Hi Lee,

     

    Please follow the below steps:

     

    Sql server agent --> jobs --> select the desired job --> right click and select properties --> select general tab --> change owner to the desired domain account

     

    For each step level security configuration:

     

    Select the step à Edit à Advance Tab à Enter the Desired User in “Run As” user field.

     

    Your concern about password will be taken care by the SQL Server only. Please let me know if you need any further information.

     

    Regards

    Utsab Chattopadhyay

  • Again, thank you for the quick reply.  I will look into this.

     

    Lee

  • Okay, I have a little more on this.  Please correct me if I'm wrong on this.

    I create a domain account that has rights to the resources it needs (file shares, database, etc).

    In SQL Server, I create a Credential and assign the domain account and domain password to it.

    In SQL Server, I create a Proxy that specifies the Credential.

    In SQL Server, I create a job and a job step and specify the Proxy.

    If this is all correct, then can I write a script that will change the password of the domain account that is defined in the Credential when the domain account password changes?

     

  • I guess you can skip the entire "proxy" part only.

    You can create a job and assign the ownership [run as] of that job step to different domain users as per your security design. This will be enough secure considering your DC has proper security enforced.

    Password changing .. etc will be taken care by Windows DC only and eventually SQL Server will be talking to DC/Win Server for authentication purpose. So u will have to write no script also

    Please let me know if you need any more information..

    Regards

    Utsab Chattopadhyay

  • I didn't think the Run As allows things other than Proxy accounts.

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply