November 11, 2005 at 12:15 pm
What permissions are required to stop/start the MS SQL Server and Agent service on Windows 2003 with a user that is not in the BUILTIN/Administrator group?
NOTE: This user is used to run the service and is started by a user in the BUILTIN/Administrator group!
November 11, 2005 at 1:28 pm
Kory,
Builtin/Administrators exist when SQL Server is already started. It is a part of SQL Server. To start a service in Windows you have to be in Administrators Windows group or in Power Users ( I think so)
Additionally if you want to know what rights the Startup account should have (the account that SQL Server Service is running on) see
http://support.microsoft.com/default.aspx?scid=kb;en-us;283811
| Article ID | : | 283811 |
It talks about permissions and rights too, both NTFS, Rights, Registry etc. if you want to use account that does not belong to Administrators.
Regards,Yelena Varsha
November 11, 2005 at 1:35 pm
I have removed Builtin/Administrators from the SQL Server as a login. The last thing I want is a dependancy of a windows admin to restart my data server!
November 11, 2005 at 1:37 pm
Kory,
I added to my prev. post, see above.
Windows admins will be able to start your data server anyway. Ask to add you to Administrators.
Regards,Yelena Varsha
November 11, 2005 at 1:45 pm
The above link has been applied!
Right now my login and the SQL Service/Agent log in is not part of the Administator group, which is perfect. He has no rights to MS SQL Server and I have no un-needed rights to the host . I do want to be able to start/stop the SQL Services with my log in or the SQL Service login! I am not concerned the win admin can via the service or a host restart!
November 11, 2005 at 1:55 pm
Kory,
The BuiltIn/Administrators account within SQL Server exists so that a member of the Windows Administrators group can login to SQL Server. It is not related to the Windows account used to run SQL Server under.
Removing it from SQL Server has no impact on the SQL Server and SQL Agent services. It will only prevent users belonging to the Windows Administrators group from logging into SQL Server using Windows Authentication. I would recommend leaving the BuiltIn/Administrators login in SQL Server in the event that the SA password is lost or forgotten. If this happens and you do not have another Windows or SQL Server account that has DBO rights, you'll be up a creek.
Refer to the link posted by Yelena for instructions on how to change the user that will run the SQL services.
November 11, 2005 at 1:59 pm
Kory,
then your Windows login should be a member of Administrators or Power Users or as our sysadmin suggested here, maybe Backup Operators too have the same right. From within SQL Server you may only stop it by sending a command. You will not be able to start SQL Server from within SQL Server if it is not started for the first place. Then SQL Server startup account should be in Windows groups that have rights to start/stop services: Administrators or Power Users or maybe Backup Operators
Regards,Yelena Varsha
November 11, 2005 at 2:04 pm
Let me ask this another way!
I have a user that is a non adminstator that is running MS SQL Server! If I use the non admin account to stop/start the service I get access denied. The only way I can currently start/stop the MS SQL Server services as the non admin user is by logging in to the host as a user with admin privlidges and start/stop the service. I want to start/stop the service with the non-admin user! Can this be done?
I want the same seperations of permissions as I would have with root and a dba login in a UNIX environment, should I be running Sybase, Oracle, DB2!
November 11, 2005 at 2:13 pm
The Microsoft KBase that Yelena posted outlines all of the permissions and rights that a non-administrator account needs to run SQL Server. I know you said that the items from this Kbase were applied, but I would double/triple check. Did you add the Windows account into SQL Server as a SysAdmin?
November 11, 2005 at 2:16 pm
Kory,
I do understand what you are asking. The service startup account can be anything even with minimal privileges, the only thing it should have is the access to the folder where the service executable is stored. But the person (He, She, It) who starts /stops this service must be either in Administrators either in Power Users not sure about Backup Operators as I say.
I was looking in this issue for a while, I wanted to find a Right that I will just add to start or stop the service. I did not find so far. Try to ask Rudy Komacsar
Regards,Yelena Varsha
November 11, 2005 at 2:25 pm
Sorry, it was so hard for me to ask that question the right way! Stopping/Starting the SQL Server/Agent service with the non-admin account is the last piece of the puzzle I need to finalize SQL Server security!
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply