August 15, 2010 at 4:09 am
Hi, I have been trying to come to some conclusions about which service accounts to setup and use. There doesn't seem to me to be any definitive guide as to best practice.;-)
So, I hope in this thread to get to one, so I think I'm gonna need some help, please!
1. General advice seems to be 'create a different account for each service' - makes good security sense.
2. Also, use names that indicate server/instance/service so they are obvious - e.g. Svr1AccAgent - i.e. Server 1, Instance Acc, Service SQL Server Agent. Also sounds good though the account names are limited in length so you will need to abbreviate.
3. Set passwords not to expire - to save maintenance but I guess might slightly be less secure.
4. Obviously make the passwords strong.
That seems OK to me but then I run into trouble.
My DB server is not a DC. I go and create the users in Computer Management and then try to use them in SQL config during installation - you can't select them, it wants domain users for some reason?
Any ideas gratefully received,
Thanks
Jerry
August 15, 2010 at 10:07 am
few other things to consider,
privilage for the service accounts?
using different service accounts for different applications.
If you are using replication etc ar you planning on using a separate account/or do you plan to use the SQL Agent account?
August 15, 2010 at 10:52 am
Unless there is a specific reason you need to use separate service accounts for each service - I don't usually do that. I'll create a single service account for each instance of SQL Server and use that for all services.
As for the names, it really doesn't matter what you name them. Come up with a naming standard you can live with and use that.
If you don't set the passwords to not expire - you will run into issues. In fact, I just ran into this because the AD team forgot to set that for one of my accounts and SQL Agent jobs started failing on the date the password expired. Not easy to track down, and changing the password can be a hassle since now we have to schedule a downtime to change them.
I use Keypass to store my service accounts and passwords - I also use it to generate a 20 character strong password. Once the account is setup with this password, nobody gets it and it is only ever referenced when needed for configuration of components. I also do the same thing for 'sa' - and this one is never used by anybody (not even me).
And your final issue - if you are using local accounts on the machine where SQL Server is installed, then the domain is that server name. For example, if your server name is MyServer - the domain for the install is going to be MyServer.
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”
― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
August 15, 2010 at 7:14 pm
I tend to agree with Jeffrey. I use domain accounts, no domain permissions unless needed, and let Configuration Manager assign permissions.
I do separate out SSAS or Integration Services, but typically not SQL Agent or most of the core services. The main reason is that I mgiht need to grant other permissiosn off the box, or might restart them. I typically don't want things dependent if I might restart them separately, or don't want to.
I use long, one time passwords. No need to ever know it. If you forget and need to access the sevices, just change the pwd.
August 16, 2010 at 1:45 am
Wow, great comments guys, thanks very much.
Can I assume that SQL server will accept user names like myserver\jerry?
Also, if a create a user myserver\jerry with membership of Users (not a DC so Everyone is not available) does SQL Server add the relevant permissions when I allocate the account to the service? If not, how do we know which permissions to give the account before assigning to the service?
Many thanks
Jerry
August 16, 2010 at 1:58 am
Jerry
As Steve said, you don't need to assign any permissions. As long as you specify the account as the service account during installation or using SQL Server Configuration Manager, all necessary permissions will be assigned automatically. I don't recommend making the account a member of groups such as Users, since this may give it access to do things you may not want it to.
John
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply