• jasona.work (1/12/2015)


    I'm working on cleaning up some bad choices made during SQL setup on a few boxes of mine, and one of the items on the list is getting the SQL Server service account out of the local Administrators group.

    My first "victim" is a SQL 2008 R2 SP2 server, the service account is a domain account (which also may not be required,) and was added during the SQL Setup.

    This is a virtual machine, so I can snapshot the VM to give myself a "bailout" button, as well as being a QA box.

    the service account should use a low privilege domain user account and doesnt need to be a member of the local admins group.

    jasona.work (1/12/2015)


    So, I see one of two ways to do this:

    1. Just remove the account from the local Admin group, restart SQL and make sure it comes up OK

    2. Switch SQL to something like LocalService, remove the current account from local Admins, then re-add it as the service account.

    Obviously, any changes to the service account will be done in the SQL Configuration Manager.

    Right track, wrong track?

    Which of the two options seems less likely to cause headaches for me? I'm leaning towards #1 should work OK, and worst case if it fails I try #2.

    Thanks all,

    Jason

    Just remove the account from the local admins, all permissions like run as a service, etc are granted at install time.

    You might just check first whether any of the SQL server directories have been secured for administrator access only, if so give the SQL instance account access to these locations. If necessary give the agent account access too.

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉