October 2, 2003 at 9:56 am
I'm polling DBA's regarding their setup of SQL Server Service accounts. I'm trying to determine the number of sites that are running their Service Accounts do not have any extra permissions. Basically the Server accounts are local accounts, or domain accounts, but only fall into the "Users" group on the SQL Server machine.
So to help with this poll please respond to this post and let me know which category you fall into for your MSSQLSERVER service account. Yeh, I know there are other services being run, but I'm narrowing this poll down to only this one.
CATEGORY 1: Run MSSQLSERVER with a user that has Administrative permissions on the SQL Server machine.
Category 2: Run MSSQLSERVER with as System Account (LocalSystem)
Category 3: Run MSSQLSERVER with a user that is basically only a member of the local "Users" group.
Here is my assumption.
1) Only a small percentage of sites fall into Category 3.
2) Category 3 is more secure
3) There are no issues with running under category 3 (this is a big assumption, thats why I have another question below).
One last question. Has anyone found any issues with and of the SQL Server Services under a user that falls into Category 3?
If you haven't already figured it out, I'm considering moving my services to Category 3. Although I'm using this forum to test the water to determine whether it is warm, semi-warm, or flat out icy cold. I can handle swimming in warm, or semi-warm, but jump in when I know the water is icy cold. So basically you feedback regarding moving to Category 3 will be greatly appreciated.
Gregory A. Larsen, DBA
Contributor to 'The Best of SQLServerCentral.com 2002' book. Get a copy here: http:www.sqlservercentral.com/bestof/purchase.asp
Need SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples
Gregory A. Larsen, MVP
October 2, 2003 at 1:38 pm
I create all new sql 2000 servers as a 'domain user' which would fall into Category 3. So far I have only got a couple, but have had no problems, so far.
As a side effect if you log into the console with that account, you don't have rights to reboot the server. Hence you may need a second account with admin rights to install service packs etc. (Personally I think this is a positive side effect).
Steven
October 3, 2003 at 1:39 am
I too have setup all of my SQL Server's with Domain Accounts, approx half a dozen now, and have had no problems.
October 3, 2003 at 2:27 am
All ours are set up to use a single domain account, which is granted local admin rights on each server.
It's not the safest way, but I've not yet got round to doing anything more comprehensive.
Thomas Rushton
blog: https://thelonedba.wordpress.com
October 3, 2003 at 7:52 am
I know some of our servers use an account with local admin permissions, category 1. Probably all are like that.
Doesn't SQL Server need an account with local admin permissions for some of its features, like e-mail capabilities, clustering and/or replication?
Robert W. Marda
SQL Programmer
bigdough.com
The world’s leading capital markets contact database and software platform.
Robert W. Marda
Billing and OSS Specialist - SQL Programmer
MCL Systems
October 3, 2003 at 11:48 am
I'm using a domain account that falls into your category 3. This arrangement seems to work fine with the possible exception of one issue that I haven't resolved yet. I have a DTS package that runs as a scheduled job and produces a 'Permission denied: CreateObject' error in a ActiveX script. The problem seems to be the one described in KB article 298725 yet running the DCOMCnfg.exe utility and granting the appropriate permissions to the sql server agent domain account doesn't fix the error. However, if I grant local Admin rights to the sql server agent startup account the error goes away. Other than this one error we're not having any problems running our sql servers under a 'category 3' account.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply