Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Technobabble by Klee from @kleegeek

David Klee is all around geek who loves data - including the platform it resides on, virtualizing it, improving performance, availability, and disaster recoverability, and data presentation and visualization. He frequently advises organizations on the techniques of migrating their business-critical physical SQL Servers to the VMware infrastructure in his day job as Solutions Architect. David speaks at many national SQL Saturday events and SQL Server User Group meetings, as well as writes technical columns on SQL Server and virtualization topics on various blogs. He is on Twitter (https://twitter.com/kleegeek), LinkedIn (http://www.linkedin.com/in/davidaklee), and blogs frequently (http://www.davidklee.net).

Cleaning orphaned SIDs after a SQL Server VM template deployment

A few weeks ago (or longer, I’m behind on email again) Nate Palm (LinkedIn) messaged me after the most recent SQL PASS virtualization webinar and asked me a fantastic question. He asked how to get rid of the orphaned account SIDs that sometimes come about after a SQL Server virtual machine template has been Sysprepped after the template deployment process.

If a VM was joined to a domain before the template conversion, or if the SQL Server services were not set to use a domain service account during installation, orphaned SIDs can occur. These are not detrimental to the services functioning normally when you grant proper access to your service accounts, but it’s always great to have a clean system.

After the sysprep process, the following groups were showing some orphaned SIDs.

  1. SQLServerMSSQLUser$ComputerName$MSSQLSERVER (ComputerName\SQLServerMSSQLUser$ComputerName$MSSQLSERVER
  2.  
  3. SQLServerSQLAgentUser$ComputerName$MSSQLSERVER (ComputerName\SQLServerAgentUser$ComputerName$MSSQLSERVER

The process that I normally use after a sysprep involves a free program from Microsoft called SubInACL.exe. It is a command-line program that helps you deal with security details for programs, services, and can help us clean up the orphaned SIDs across the server. It’s crazy powerful, and can be used to do all sorts of things. I build this into my SQL Server VM templates.

Once a server has been deployed from a previously configured SQL Server template, I have a script in the works that is configured to clean up certain things. The key command is as follows.

  1. subinacl /samobject /cleandeletedsidsfrom=domainname=all

That should take care of it, and if it does not in your case, check out all the different operations that can be executed with various parameters. 

Comments

Leave a comment on the original post [www.davidklee.net, opens in a new window]

Loading comments...