Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

SQLServer2005MSSQLUser$ComputerName$MSSQLSERVER Expand / Collapse
Author
Message
Posted Thursday, March 8, 2007 11:26 AM
SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Monday, October 13, 2014 6:49 PM
Points: 614, Visits: 336

Hi,

In the MSSQL folder (windows explorer), under the security tab I see this group or username: SQLServer2005MSSQLUser$ComputerName$MSSQLSERVER

Why is this there and what will happen if this is deleted when using xcacls.vbs for folder/file permissions.

Thanx.

 

 

Post #350127
Posted Friday, March 9, 2007 5:56 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 4:18 AM
Points: 2,886, Visits: 3,256

SQL 2005 creates a number of local groups during the install process.  BOL has the full details of this.  They hold the service accounts used to run the various SQL services.

I have looked at deleting these groups but have decided against it.  If you look in the SQL portion of the registry, you will references to the SIDs of some groups, the names of others, and prefixes for the rest. 

There is no Microsoft or newsgroup documentation on what impact there will be on SQL if the groups are deleted.  If anything does break, Microsoft may well ask you to reproduce the problem using a standard environment (with the groups) before they can properly support you.  We have a regulatory requirement to use vendor-supported software, so for us the groups have to stay.



Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2014, 2012, 2008 R2, 2008 and 2005. 18 October 2014: now over 31,000 downloads.
Disclaimer: All information provided is a personal opinion that may not match reality.
Concept: "Pizza Apartheid" - the discrimination that separates those who earn enough in one day to buy a pizza if they want one, from those who can not.
Post #350324
Posted Friday, March 23, 2007 3:06 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, April 25, 2007 4:33 AM
Points: 4, Visits: 1
I also see these groups. I would like to replace them with domain groups (instead of local) is this possible and if yes - how?
Thanks.

PS. what is "BOL"?
Post #353451
Posted Saturday, March 24, 2007 12:49 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873

BOL = Books Online.

As to whether or not you can replace them? No. You should not. If you want to use domain groups, leave the local groups in place and grant similar rights to your domain groups.

 



K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #353705
Posted Saturday, March 24, 2007 12:54 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, April 25, 2007 4:33 AM
Points: 4, Visits: 1
Hello Brian, thanks for the answer.

The trouble is as follows - I have a NAS storage which is a part of an Active Directory forest.
When I try to create data files with SQL 2005 (SQL 2000 works fine) - I get permission denied even if I grant Full Control to Everyone. After resorting to a network sniffer, I found out that when SQL2005 tries to create the files, it tries to give permissions to the local group (the SQLServer2005MSSQLUser$ComputerName$MSSQLSERVER one) and because its SID is unknown to the ActiveDirectory, our NAS rejects it - that's why I want to use domain groups instead of local ones. Does anybody have any suggestions?

EDIT: I should mention that I am using a domain user.
Post #353706
Posted Saturday, March 24, 2007 3:11 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873

Unfortunately, I don't think you can change the way SQL Server 2005 sets up itself. Typically, though, SQL Server is setup where the drives appear locally to the server where SQL Server is running. Do you not have an option of doing that?

 



K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #353711
Posted Saturday, March 24, 2007 3:16 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, April 25, 2007 4:33 AM
Points: 4, Visits: 1
Nope, I have to use the NAS. If I set the NAS to ignore security - everything works fine, but that's a major hole, so it is not an option. And I find it very annoying that SQL2000 used to work fine with this setup and 2005 doesn't.
Post #353712
Posted Saturday, March 24, 2007 5:37 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873

You may have to end up contacting Microsoft Support. I believe it'll continue to be a problem, especially since I think it resets the permissions on the database files when they get created to use those local groups.

 



K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #353715
Posted Sunday, March 25, 2007 11:36 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, April 25, 2007 4:33 AM
Points: 4, Visits: 1
Already did that, I was just hoping for quicker turnaround, because everyone's (including MS) support structure is glacial with regards to speed...

EDIT: Creating the files locally and the detaching, moving, and reattaching the DB with the new location works, but it is just a workaround.
Post #353727
Posted Monday, March 26, 2007 2:31 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 4:18 AM
Points: 2,886, Visits: 3,256

I registered a request with Microsoft that it should be possible during the install to specify the groups that SQL Server uses.  The response was 'This will be considered for a future release'.  I think the workaround you posted of moving the database files post-install is the best you will get in a NAS environment.

If you get a fix for SQL 2005, please let the community know.



Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2014, 2012, 2008 R2, 2008 and 2005. 18 October 2014: now over 31,000 downloads.
Disclaimer: All information provided is a personal opinion that may not match reality.
Concept: "Pizza Apartheid" - the discrimination that separates those who earn enough in one day to buy a pizza if they want one, from those who can not.
Post #353781
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse