August 18, 2011 at 5:55 am
As part of the SQL Server install(SQL2008) several local groups are created, such as:
SQLServerMSSQLUser$ComputerName$MSSQLSERVER
SQLServerSQLAgentUser$ComputerName$MSSQLSERVER
SQLServerDTSUser$ComputerName
Does the account with which we start the SQL Server instance need to be part of these groups? Do we need to add the SQL Server service account to these groups?
Please advice.
Thanks,
Ravi
August 18, 2011 at 8:48 am
I usually remove them - hate generic stuff! However, don't unless you're absolutely sure your roles and permissions are right. Even more so if you're on a cluster.
I don't have these on my production clusters and everything works ok.
[font="Comic Sans MS"]The GrumpyOldDBA[/font]
www.grumpyolddba.co.uk
http://sqlblogcasts.com/blogs/grumpyolddba/
August 18, 2011 at 10:53 pm
Thanks Robert.
For SQL 2005 install i remember seeing the SQL Server service account in these groups. But for SQL 2008 install the account seems to be missing.
February 6, 2016 at 4:40 am
This is an old discussion. It may still be relevant. Has anyone ever attempted to map the permissions required to create the ACL's and so on for these security groups? I've inherited one that has them removed. I suspect it will be easier to remove the installations instance by instance and reinstall them but if there is an easy way to add the security groups back in (SQLServerDTSUser$, SQLServerMSSQLUser$, SQLServerAgetUser$ in particular), please share.
I believe these are correct but it would be nice to have some verification (SQL 2012)
Integration Services
Default instance or a named instance: SQLServerDTSUser $ ComputerName
The service capacity Login (SeServiceLogonRight,)
Write access to the application event log.
Bypass traverse checking (SeChangeNotifyPrivilege)
Authentication Impersonate a client after (SeImpersonatePrivilege)
SQL Server Agent 3
Default instance: SQLServerSQLAgentUser $ ComputerName $ MSSQLSERVER
Named instance: SQLServerSQLAgentUser $ ComputerName $ InstanceName
The service capacity Login (SeServiceLogonRight,)
As a batch job the Login (SeBatchLogonRight)
Replace a process level token (SeAssignPrimaryTokenPrivilege)
Bypass traverse checking (SeChangeNotifyPrivilege)
Adjust memory quotas (SeIncreaseQuotaPrivilege)
SQL Server
Default instance: SQLServerMSSQLUser $ ComputerName $ MSSQLSERVER
Named instance: SQLServerMSSQLUser $ ComputerName $ InstanceName
Service capacity login (SeServiceLogonRight)
As a batch job the Login (SeBatchLogonRight)
Replace a process level token (SeAssignPrimaryTokenPrivilege)
Bypass traverse checking (SeChangeNotifyPrivilege)
Adjust memory quotas (SeIncreaseQuotaPrivilege)
Permission to start SQL Server Active Directory Helper
Start SQL Writer's permission
Permission to read the event log service
Permission to read the Remote Procedure Call service
SOURCE http://www.databasesql.info/article/124980796/
Jamie
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply