Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

SQL Service account change Expand / Collapse
Author
Message
Posted Monday, October 21, 2013 11:44 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, June 4, 2014 4:30 PM
Points: 3, Visits: 24
Was there any resolution to this issue? I am experiencing a very similar issue at the moment...
Post #1506968
Posted Wednesday, October 30, 2013 5:59 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Yesterday @ 3:39 AM
Points: 257, Visits: 776
muthyala_51 (4/29/2013)
Does the new Service account is added in the Local administrator group on both the servers (Primary and seconday)?


This is not required - The account just needs to be able to read\write from the location of the logs, both primary and secondary. Do not add service accounts to local admin groups.
Post #1509733
Posted Thursday, October 31, 2013 8:18 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, July 15, 2014 8:13 PM
Points: 124, Visits: 750
SQLSteve (10/30/2013)
muthyala_51 (4/29/2013)
Does the new Service account is added in the Local administrator group on both the servers (Primary and seconday)?


This is not required - The account just needs to be able to read\write from the location of the logs, both primary and secondary. Do not add service accounts to local admin groups.



Can you explain in detail why a service account doesn't need to be added in admin group ? Pros n Cons.
Post #1510200
Posted Thursday, October 31, 2013 8:52 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Tuesday, July 1, 2014 9:14 PM
Points: 564, Visits: 851
When setting up your service accounts you want to follow the principle of least privilege. Basically this means that you only want to grant the necessary rights to your service accounts to do it's job and nothing more. I have never come across a reason that I needed my service account to be a domain admin or a local admin. I simply grant the necessary permissions to the account and that is all.

The reason for this is security, plain and simply. If you service account gets hacked you want to limit your potential damage by limiting the hackers surface area. Domain admin and/or local admin is a pretty big surface area.

Now a couple of people have asked if the new account has read/write access to the location of the Tlog backups. Does it? Start there. Also, any changes you make to your service account needs to be done through SQL Server Configuration Manager not by going directly to the service itself.




Microsoft Certified Master - SQL Server 2008
Follow me on twitter: @keith_tate

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1510233
Posted Friday, November 1, 2013 3:45 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Yesterday @ 3:39 AM
Points: 257, Visits: 776
Keith Tate (10/31/2013)
When setting up your service accounts you want to follow the principle of least privilege. Basically this means that you only want to grant the necessary rights to your service accounts to do it's job and nothing more. I have never come across a reason that I needed my service account to be a domain admin or a local admin. I simply grant the necessary permissions to the account and that is all.

The reason for this is security, plain and simply. If you service account gets hacked you want to limit your potential damage by limiting the hackers surface area. Domain admin and/or local admin is a pretty big surface area.

Now a couple of people have asked if the new account has read/write access to the location of the Tlog backups. Does it? Start there. Also, any changes you make to your service account needs to be done through SQL Server Configuration Manager not by going directly to the service itself.


+1
Post #1510539
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse