none
SQL Server 2012 Local Service Accounts and Domain Policy for Developers

    Question

  • Hi,

    Our developers have machines in an OU that removes the log on as service right from local accounts.  This means that the default SQL Server 2012 install will not work.  For example, the integration services service using "NT SERVICE\MsDtsServer110" will fail to start once group policy is applied.  I'm trying to follow the rules of using the least privilege required.  (Our servers are in a OU that does not remove rights installed by SQL setup, so local accounts are fine there.)

    I have asked out AD administrators to consider altering group policy to allow the service SIDs to have the rights required by SQL Server.  However, it appears how to allow local accounts rights in group policy is not obvious.  I have to wonder what is best to do in this scenario.  Is it less secure to use the least privileged service accounts if group policy has to be opened to allow all local accounts to have the rights?  Should we create an OU for developers?  Can group policy allow just the service SIDs to retain the rights needed?  Any advice is appreciated. 

    Thanks,

    Randy


    Randy in Marin

    Tuesday, July 09, 2013 10:00 PM

Answers

  • Hello,

    To my knowledge, you cannot exclude specific SIDs of the policy. You will have to create an OU where the rights (as the logon as service) cannot not removed.


    I will try to implement Localdb instead of Developer Edition as soon as possible to improve security and save money.

    Hope this helps.


     
    Regards,
    Alberto Morillo
    SQLCoffee.com

    Thursday, July 11, 2013 11:58 AM
  • Thanks.  Looks like a new OU for the developers.  We have MSDN, so it does not save us money to use LocalDB.  However, as developers adopt SSDT, I think the need for a separate edition will be reduced. 


    Randy in Marin

    Thursday, July 11, 2013 3:41 PM

All replies

  • Hello,

    You can ask an Administrators to run SQL Server setup with the “Run as Administrator” option when you need to install SQL Server, provide their credentials,  and choose default SQL Server 2012 service accounts. You mentioned already that all servers are in an organizational unit that does not remove rights installed by SQL Server.

    Hope this helps.


     
    Regards,
    Alberto Morillo
    SQLCoffee.com

    Wednesday, July 10, 2013 2:06 PM
  • Hi, the developer machines are not in the server OU - and will not be.  Perhaps I should request an OU for developers - probably a good idea in any case.  However, I don't know what would be a best practice.  I would like the default accounts to retain the rights while letting group policy restrict other local accounts - the best of both worlds.  I don't know if this is possible.  I'm not a group policy or AD admin.  If there is a way to set policy to allow just the specific local service accounts the security required, I would like to have a reference to the method to pass along to our admin. 

    Will I still have to worry about rights assigned to local groups?  I don't know if SQL 2012 still relies on local groups to set security. 

    Thanks


    Randy in Marin

    Wednesday, July 10, 2013 4:08 PM
  • Hello,

    I assume those developers are using SQL Server Express on their laptops. What about letting them try LocalDB?  It can help you avoid SQL Server installations.

    http://www.sqlcoffee.com/SQLServer2012_0004.htm

    If they are not using laptops, why not using just one or two instances only for development.

    Hope this helps.


     
    Regards,
    Alberto Morillo
    SQLCoffee.com


    Wednesday, July 10, 2013 6:33 PM
  • LocalDB is something we are considering.  If all teams adopt a new development strategy using SSDT, we might be able to avoid using the DEV edition in most cases.  For now, I need to figure out what to do with policy removing rights.  We are just starting with SQL 2012, so I have a chance to avoid developers using local system for service accounts. 

    Randy in Marin

    Wednesday, July 10, 2013 8:15 PM
  • Hello,

    To my knowledge, you cannot exclude specific SIDs of the policy. You will have to create an OU where the rights (as the logon as service) cannot not removed.


    I will try to implement Localdb instead of Developer Edition as soon as possible to improve security and save money.

    Hope this helps.


     
    Regards,
    Alberto Morillo
    SQLCoffee.com

    Thursday, July 11, 2013 11:58 AM
  • Thanks.  Looks like a new OU for the developers.  We have MSDN, so it does not save us money to use LocalDB.  However, as developers adopt SSDT, I think the need for a separate edition will be reduced. 


    Randy in Marin

    Thursday, July 11, 2013 3:41 PM
  • FYI: "NT SERVICE\ALL SERVICES" can be added to GPO.  I think it can be used to add the log on as a service right for all service SIDs.  I don't don't know if this is the way to add the other rights unless you want all SIDs to have those rights. 

    Randy in Marin

    Wednesday, July 24, 2013 8:13 PM