We're trying to limit the number of user accounts with Admin level permissio
n
on our Win2K servers, especially SQL servers. We have created a domain level
account to run SQLServer and SQLAgent. We'd like to limit it to Power User
status instead of Admin status on the servers, but we cannot seem to start
and stop the services from SEM with only Power User status. We've checked
registry key permissions and everything seems to be configured properly. Is
this configuration even possible? Or does this account NEED to be local admi
n
on the server? Help would be appreciated. Thanks.The account that starts the services needs to have the "log on as a service"
right. Without this MSSQLServer and MS SQL Server Agent will not start.
It would also be more secure to use a domain account for this rather than a
local account as SQL then benefits from the integrated security of Windows
2000.
Also why would you want end users to have admin rights on the server at all?
This defeats the object of system security and resource accessibility. It
is best that they are Doman Users only then assign access rights to shares
on the servers.
HTH
Regards
Dazza
"gbledsoe" <gbledsoe@.discussions.microsoft.com> wrote in message
news:72CDD311-3C73-480E-9734-3E6F0E76DB09@.microsoft.com...
> We're trying to limit the number of user accounts with Admin level
> permission
> on our Win2K servers, especially SQL servers. We have created a domain
> level
> account to run SQLServer and SQLAgent. We'd like to limit it to Power User
> status instead of Admin status on the servers, but we cannot seem to start
> and stop the services from SEM with only Power User status. We've checked
> registry key permissions and everything seems to be configured properly.
> Is
> this configuration even possible? Or does this account NEED to be local
> admin
> on the server? Help would be appreciated. Thanks.|||We've following the instructions in MS article 283811 and ensured that the
account has all necessary extended user rights, such as act as part of
operating system, logon as batch job, logon as service. The fundamental
question is whether the account can run as Power User or does it need to be
Administrator? If it does not NEED to be Administrator, what other
configuration is necessary to let us use that account to stop and start the
SQLServer service, since Power User does not seem to have the rights. Thanks
.
"Dazza" wrote:
> The account that starts the services needs to have the "log on as a servic
e"
> right. Without this MSSQLServer and MS SQL Server Agent will not start.
> It would also be more secure to use a domain account for this rather than
a
> local account as SQL then benefits from the integrated security of Windows
> 2000.
> Also why would you want end users to have admin rights on the server at al
l?
> This defeats the object of system security and resource accessibility. It
> is best that they are Doman Users only then assign access rights to shares
> on the servers.
> HTH
> Regards
> Dazza
>
> "gbledsoe" <gbledsoe@.discussions.microsoft.com> wrote in message
> news:72CDD311-3C73-480E-9734-3E6F0E76DB09@.microsoft.com...
>
>|||gbledsoe wrote:
> We're trying to limit the number of user accounts with Admin level permiss
ion
> on our Win2K servers, especially SQL servers. We have created a domain lev
el
> account to run SQLServer and SQLAgent. We'd like to limit it to Power User
> status instead of Admin status on the servers, but we cannot seem to start
> and stop the services from SEM with only Power User status. We've checked
> registry key permissions and everything seems to be configured properly. I
s
> this configuration even possible? Or does this account NEED to be local ad
min
> on the server? Help would be appreciated. Thanks.
It should be, although not all sql feature are available. I am running
multiple instances with different plain domain user accounts. When you are
not sure about registry, user and ntfs permission change the account using
the enterprise manager.
When you need the proxy account to run scheduled dts packages create a
separate account for the sql agent service and make it local admin, unless
someone here can explain how to accomplice this without local admin rights.
have a look at this one:
http://support.microsoft.com/defaul...;283811&sd=tech
Hans
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment