October 31, 2002 at 3:05 pm
I have what I hope is a simple question. I have been looking for the answer but I can't find exactly what I am looking for.
On all of my SQL Servers, I have three logins setup in the Sysadmin role: 'sa', an Active Directory group that contains only our SQL Server administrators, and the SQL Server Service account.
My question is, should I have the SQL Server Service account as part of the Sysadmin role?
My apologies if this seems elementary but I am trying to setup my systems right.
Thanks for all help
----------------------------------------------------------
01010011010100010100110000100000010100110110010101110010011101100110010101110010
001000000101001001101111011000110110101101110011
October 31, 2002 at 3:15 pm
The SQL Server Service account must be member of the Local Administrator Group of your Pc. All the locals administrators map directly to the Sysadmin role in SQL Server.
For example, If you add more local administrators to your pc, the will gain access to SQL Server with sysadmin permissions.
There's nothing wrong in the configuration you have.
Use the sql service account only for that purpouse...managing sql services and remember not to change or reset the password to that user.
October 31, 2002 at 3:22 pm
Thanks for the reply but we have decided to NOT make the SQL Server Service account a member of the Local Administrators group. We decided this after much research and decided that opens up our systems too much. We do, however, give the SQL Server Service account all of the permissions it needs.
----------------------------------------------------------
01010011010100010100110000100000010100110110010101110010011101100110010101110010
001000000101001001101111011000110110101101110011
October 31, 2002 at 3:47 pm
Check that the sql service account can't still start the services.
October 31, 2002 at 3:56 pm
Our SQL Server service accounts are domain accounts. We have does this so we can user NT file shares, send email using exchange, etc. Are accounts have either been give access directly to SYSADMIN, or been give access indirectly by being in the local admin group. I'm guess if you decide not to have your service account members of SYSADMIN then some commands that require SYSADMIN will not be available, like xp_cmdshell, xp_sendmail unless you directly map permissions to these extended stored procedures.
Gregory Larsen, DBA
If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples
Gregory A. Larsen, MVP
October 31, 2002 at 4:16 pm
See the "Starting SQLServerAgent Service" article in Books Online. It essentially says that the account that your SQLServerAgent service runs under needs to be a member of the sysadmin role on your SQL Server.
Matthew Burr
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply