March 15, 2004 at 4:00 pm
March 15, 2004 at 9:28 pm
The account will have to be a local administrator on the server or you will have to go and grant full permissions to everything that SQL Server needs on the server. It doesn't have to be a domain administrator just a regular user and local admin. There was a good article in the first sql server standard mag about securing sql the only thing that can't be run as a non local admin is full text search I belive.
Wes
March 16, 2004 at 1:33 am
As is with installing any software, if you want it to run as a non-admin and it won't, you can download & run regmon & filemon from sysinternals.com to determine exactly what registry keys or files the program needs write permission to, instead of just using an administrator account.
Patrick Rouse
Microsoft MVP - Terminal Server
March 16, 2004 at 8:09 am
If the server is stand-alone, and not a member of a domain, just use the local system account. The common recommendation you refer to is to use a DOMAIN user id, not a local Windows user id. Obviously, to use a domain user id implies that the server is also a member of the domain.
Mike
March 16, 2004 at 8:18 am
Hello every body,
First of all I would like to thank everybody whom response to my question.
Burthold, can you give me the link to the article you are refering to?
Mkeast, I want to use window user instead of local system because I have my customize mail stored Procedures and required to use account user with MAPI set up.
March 17, 2004 at 8:53 am
One of the Microsoft articles suggests that changing the SQL Server or agent account should be done through the SQL EM, since the account needs some registry and file system permissions that a regular user may not have. Moving the service user from an admin group to a regular user group will not get these permissions. Did you use the SQL EM to change the account? Since you have already created the account, try changing the startup account to something else (like a local system) and then change back to the account you want to use, that should grant the account all the permissions. One caveat to using a non-admin account to start the SQL Services is that you will not be able to use SQLAgent Proxy account (ie to let non-sysadmin SQL users run OS commands or schedule and run DTS packages). For this reason I keep the SQL service accounts as windows admins.
March 17, 2004 at 1:59 pm
The article may be here I would do a search. The one I am talking about is in the Sql Server Standard magazine. It isn't easy but it will make your server more secure. In the short term, the account that the agent is set to start under needs to be a local administrator on the sql server.
Wes
March 17, 2004 at 2:33 pm
the account I am using is part of the sysadmin group in the SQL and I use the SQL EM to change the start up account. As soon as I click restart I got an error unless I change the account window permission from user to Administrator. any idea why?
March 17, 2004 at 7:08 pm
Does the account have "logon as a batch job" user rights?
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply