April 14, 2008 at 11:20 am
I used Microsoft's article, http://support.microsoft.com/kb/283811/en-us, to lock down my SQL Server 2005. We have a domain account that has always been running the services, but as a machine Administrator. The problem is it defeats the purpose of having a separate account. I have been successful with all aspects of locking down the account with the exception of stopping/starting the services. I can create/delete a database; create/delete a maintenance plan; read logs; create users ...just can't stop/start the services without being an administrator.
On the server, I receive an Error 5, access denied; the event log records:
Event Type:Failure Audit
Event Source:Security
Event Category:Object Access
Event ID:560
Date:4/14/2008
Time:11:03:07 AM
User:Domain\SQL-Service_Account
Computer:Server Name
Description:
Object Open:
Object Server:SC Manager
Object Type:SERVICE OBJECT
Object Name:SQLSERVERAGENT
Handle ID:-
Operation ID:{0,1221790}
Process ID:412
Image File Name:C:\WINDOWS\system32\services.exe
Primary User Name:Server Name$
Primary Domain:WIN
Primary Logon ID:(0x0,0x3E7)
Client User Name:SQL-Service_Account
Client Domain:Domain
Client Logon ID:(0x0,0x121E25)
Accesses:Start the service
Privileges:-
Restricted Sid Count:0
Access Mask:0x10
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Can anyone help shed some light on this?
Thank you.
Josie
April 14, 2008 at 1:59 pm
Are logging onto the server using the SQL Server Service account? With SQL Server 2005 there should not be a need to logon to the server using the SQL Server Service account.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
Viewing 2 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply