February 12, 2010 at 3:02 pm
Hi Guys,
I'm running SQL 2008 SP1 on Windows Server 2008 R2. When I installed SQL, I chose "use same account for all services" and picked local system. Now, I've created different local user accounts for each service (non admin). When I change the account for each service to these new accounts in SSCM, I'm not understanding why under Server Manager/Configuration/Local Users and Groups/Groups, the corresponding SQL group doesn't show the account I specified as a member. It only shows NT Server\[ServiceAccount$InstanceName]. It was my understanding that when you change the account in SSCM, the account specified is added to this corresponding service account group. Am I wrong about this? How do I assign the local user account advanced priveleges that will reflect in the local security policy?
Thanks in advance!
February 12, 2010 at 3:18 pm
I'm not sure Config Mgr adds them to the group. It should assign permissions, which you'd think would mean dropping them in the appropriate group, but possibly not.
Are you saying that you've set up an account for something like Full text Search, and then changed that account in config manager, but the account doesn't show up in a group?
Here's a good reference for service accounts and permissions: http://msdn.microsoft.com/en-us/library/ms143504.aspx
February 13, 2010 at 4:33 am
I'm not totally convinced the NT groups have any relevance. You'd need to check out the permissions of these groups - that would be relevant if your account requires those permissions.
There have been some discussions about removing these groups and the logins created in sql server.
[font="Comic Sans MS"]The GrumpyOldDBA[/font]
www.grumpyolddba.co.uk
http://sqlblogcasts.com/blogs/grumpyolddba/
February 15, 2010 at 7:22 am
Thanks for the replies guys.
Steve, I've read the msdn article you posted a few times...I'm confused in the part where it says in bold:
"Security Note Always run SQL Server services by using the lowest possible user rights. Use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID where a service SID is supported."
So, I have a seperate user account for each service with minimal permissions. But I don't know the right way to elevate the account permissions. For example, I have sql browser service and analysis service each having a seperate user account I created. I used SSCM to assign the user accounts to each service. But I can't connect to SSAS in management studio unless I switch the browser service to local system (admin account). This is all from a local machine.
February 16, 2010 at 2:39 am
This is why reducing permissions is always tricky. There are some pages in BOL which explain the basic rights each account requires, however ultimately it is what you do with the accounts/servers which finally dictates what rights you grant. This is why many add the sql service accounts to the local admins because everything works.
[font="Comic Sans MS"]The GrumpyOldDBA[/font]
www.grumpyolddba.co.uk
http://sqlblogcasts.com/blogs/grumpyolddba/
Viewing 5 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply