Post reply

Risks with changing service accounts

  • February 10, 2010 at 10:02 am

    #216513

    I have inherited a few SQL servers that have services running under very highly privileged domain accounts. I am planning to change the service accounts to low-privilege users. Can someone advise me on what kind of permission issues I might run into in doing this?

    As this is a high-availability environment, I would like to address any possible issues ahead of time so this could be a one-time change with little or no impact to end-users outside of the window required to restart the services.

    This is a Win2k3 box, running SQL 2k8 Ent. It is part of a cluster, and mirrors several databases to a second machine in a different cluster.

    Thanks for any input/advice you may have.

  • February 10, 2010 at 4:41 pm

    #1117281

    Here is a doc that covers the permissions needed for the service accounts.

    Too few permissions and you could lose some functionality.

    http://msdn.microsoft.com/en-us/library/ms143504.aspx

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • February 11, 2010 at 4:38 am

    #1117514

    changing service accounts on a cluster can be tricky and furthermore removing permissions from an account on a cluster even more so.

    I'd suggest you carefully document exactly what your sql server does under its service account, often things like log shipping, file copies, data movements and such rely upon elevated permissions for simplicity of operation, I'm not saying that this is correct but sometimes making permissions ultra restrictive makes management very complex.

    Make sure any account changes are made through sql server management and not the services mmc.

    You say you environment is highly available, as you're asking this question on the forum I might suggest that your efforts to make chnages may well make your environment highly unavailable. Make change son a less important server first.

    [font="Comic Sans MS"]The GrumpyOldDBA[/font]
    www.grumpyolddba.co.uk
    http://sqlblogcasts.com/blogs/grumpyolddba/

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply