June 6, 2012 at 1:58 pm
opc.three (6/6/2012)
You say they are sysadmins, well they could be doing something like this which does not require them to know the password of the service account and would still get the Agent log entry to show that DOMAIN\SvcAcct invoked the job and not themselves:
EXECUTE AS LOGIN = N'DOMAIN\SvcAcct'GO
EXEC msdb.dbo.sp_start_job
@job_name = 'JobA'
GO
REVERT
GO
I think I made the mistake of dismissing this one as a possibility because the users are sysadmin. However, seeing some of the things they are doing, I shouldn't put it past them.
With your level of concern, I think at a fundamental level you need to address who has sysadmin on your instance.
That is something we are doing now. They were given sysadmin because it was supposed to be a short project. Well, a year later, they still have it, and if I just pull it, most of these folks won't be able to do their jobs. It will take some planning and coordination to remove them from this role.
Also, are you sure you're not mixing up your messages of "invoked by" and "executed as"? That can be a common misconception too:
Nope. They all say "invoked by". In fact, I found some jobs that were stopped. The text from the messages column reads:
The job was stopped prior to completion by User DOMAIN\SvcAcct. The Job was invoked by User DOMAIN\SvcAcct. The last step to run was step 1 Stepname).
Viewing post 31 (of 30 total)
You must be logged in to reply to this topic. Login to reply