November 7, 2006 at 10:00 am
Hi,
I have recently installed SQL Server 2005 Standard under Win Authentication only and have removed the builtin administrators group and have a couple of questions:
1. Does the account running the sqlserver service need to have sysadmin rights in sql server?
2. If it does not then the only account that will have sa permissions will be my NT account. If I leave and my account was deleted how would someone be able to access the server and gain sa rights? If they can't then what is the best way to ensure this does not happen?
Many Thanks
Jon
November 7, 2006 at 10:14 am
The domain accounts running our SQL Servers have admin rights. I would also make sure you have another user with sys admin rights besides your own account, not just in case you leave, but in case you are not available and someone needs to access the SQL Server as an admin.
November 8, 2006 at 3:24 am
When you install SQL2005 a number of local groups are created. These groups are intended to hold the service accounts that run the various SQL services, and are assigned the relevant Windows and SQL rights needed to make SQL work correctly. The group that holds the SQL Server service account has sysadmin rights in SQL.
At my site, the windows rights are controlled by GPOs which do not include local groups. Threfore we have had to reverse engineer the Windows rights from the SQL local groups and apply them directly to the service accounts in the GPOs. We have also explicitly made the service accounts sysadmin.
Although we have revoked the SQL logins related to the local accounts, we have not deleted the groups or changed their membership, as there is no documentation on how to do this safely.
IMHO, the SQL Setup program should include a screen to allow the names of these local groups to be given, so they can comply with local naming standards. Such a screen should follow the example of the Service Account screen, and allow a single group to be set up to hold all service accounts. It should also be possible to use a Domain rather than a local group. There should also be documentation on how the local groups can be safely removed from the server without impacting the functionality of SQL.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply