July 20, 2005 at 3:34 pm
We have some users who now want to use Full-text catalogs and the Microsoft Search service. According to MS, the only way for this to work is to:
1. Leave BuiltIn/Admin acct in SQL Server (which we do not do)
or
2. Have NT Authority\System run the MS Search Service, and add NT Authority\System as SQL Server 'sa'. This is pretty much the same as leaving builtin admins because any admin can get in and run code as NT Authority against the SQL Server. This is what we are trying to prevent in the first place.
Does anyone know of a work around for this?
Thanks,
Ben Reeder - Deere and Company SQL Server DBA
Win2000/2003 - SQL Server SP3a going to SP4.
July 21, 2005 at 8:41 am
Unfortunately, there is no workaround to this as it "by design" and necessary for the MSSearch service to access SQL Server tables. Option 2 is your best option, as you've removed BUILTIN\Administrator. See the below code and KB article for more info:
exec sp_grantlogin N'NT Authority\System'
exec sp_defaultdb N'NT Authority\System', N'master'
exec sp_defaultlanguage N'NT Authority\System','us_english'
exec sp_addsrvrolemember N'NT Authority\System', sysadmin
Q263712 "How to impede Windows NT administrators from administering a clustered instance of SQL Server" http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263712
Note, the "Microsoft Search" (mssearch.exe) service must run under the System account (LocalSystem) or you will hit some documented bugs. Finally, you can physically secure your server, lock your System Admin's out of the server, but at some point you will have to trust your employees... Note, this does change in SQL Server 2005 and the MSFTESQL service (the replacement for MSSearch) will run under the same account as the SQL Server account.
Regards,
John
SQL Full Text Search Blog
http://spaces.msn.com/members/jtkane/
John T. Kane
July 21, 2005 at 8:48 am
Thanks a lot John for the info. This is more explanation than what we rec'd from MS.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply