April 26, 2012 at 12:14 pm
Hi,
In SQL Server 2005-2008 there was a local group that was created for the SQL Server service account: NT SERVICE\MSSQLSERVER.
When we needed to add permissions on a folder on the server, we used this group to give read or write access.
Right now, we are trying to give similar access on a local ressource, but the account does not exist, since they changed the security schema with 2012.
I checked the ACL on a folder which was granted access during the installation, and I can see a user "MSSQLSERVER" which is granted the full control over the data folder, but I cannot choose this user, or use it somewhere else.
1- If I do not want to hardcode the service account (Which is a Domain user in that case), how can I give access on a local ressource using a local group/account?
2- What is the best practice on granting permissions on a local folder for a certain domain account, do you hardcode it, or use the local group?
Thank you in advance,
Cheers,
J-F
October 29, 2012 at 3:44 pm
Try using the local account "NT SERVICE\MSSQLSERVER". For named instances, "NT SERVICE\MSSQL$instancename". Type it in this in full. A check will verify and drop the NT SERVICE part.
PS It is a object type "Built-in security principals". The location must be the local server name. A check name might bring up a list. Select the one that you want - MSSQLSERVER.
RandyHelpdesk: Perhaps Im not the only one that does not know what you are doing. 😉
October 29, 2012 at 4:27 pm
BTW, I am also trying to find best practices on the use of the service sid, group, or service account when assigning rights. So far, I think the SID or group is the best for things that SQL Server needs. I don't think giving a service account the rights grants the service those rights. The service can use the service account, but does it actually have the same rights? For example, to impersonate the service account, the service sid would have the right to impersonate already? If I could understand it, I might be able to make better choices.
RandyHelpdesk: Perhaps Im not the only one that does not know what you are doing. 😉
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply