May 10, 2006 at 12:27 pm
Windows Server 2003, SQL Server 2000 Pro
I am currently using the domain admin to run the SQL services under. I want to change this to a non-domain admin account. Assuming this account has local admin rights, is setup as a SQL Administrator, and has access to all necessary network resources, would this configuration be recommended?
Are there any other pieces I should be considering?
Any direction would be greatly appreciated!
May 10, 2006 at 1:30 pm
I guess you are asking about non - "domain admin" , means the domain account that does not have domain admin rights. Yes, it is recomended if you server has to communicate with other servers and the security context of the communication will be SQL Server or Agent startup account. In the case the server does not have to communicate with other servers, like in the case of the web application using it on the same machine and it is the only function for this SQL Server, I would recommend to run services on local accounts.
Regards,Yelena Varsha
May 10, 2006 at 5:14 pm
Thank you, Yelena.
My server does communicate with other servers, such as other SQL Servers and Active Directory. Any resource I must access will be granting sufficient rights for my chosen account. Based on what I believe you are saying, in this scenario, it would be recommended to use a non "domain admin" account for the SQL Server and SQL Agent startup account?
Sorry for asking a redundant question, I just want to be sure I'm understanding correctly.
Thanks again!
May 11, 2006 at 8:54 am
Hello JuanBob,
Yes, you do understand correctly.
Here is what I normally do: I request a domain account without any administrative rights to the domain. This account should have "Password Never Expires" checked. Then I make this account a member of local administrators on the server. Because it is now a member of Builtin/Administrators I don't have to add this account to SQL Server in the cases Builtin/Administrators were not removed from SQL Server. In the case I don't have Builtin/Administrators in SQL Server I add this account to SQL Server. I change the startup account for SQL server in Enterprise Manager so all permissions will be assigned to it automatically. Now, I have to grant rights to the domain resources to this account. You say it needs to access Active Directory, so make sure your network admin gives this account rights to Active Directory. I give the appropriate share and NTFS permissions to the shares for this account if it has to access shares on other servers. If this account has to access other SQL Servers, give it rights as well. I would advise to use this accout to login locally to Windows to the computer that is running SQL Server before you do most of above. This will assure that a local profile is created for this account on the server.
Yelena
Regards,Yelena Varsha
May 11, 2006 at 9:43 am
Very clear and thorough explaination. Again, thank you so much! It is sincerely appreciated!
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply