Rule "Setup account privileges" failed on SQL Server 2008 SP 3

Question

We have installled SQL Server 2008 Client Tools and SSIS on a Windows 7 client.  When we tried to install SP 3 we got the error

Rule "Setup account privileges" failed

The account that is running SQL Server Setup does not have one or both of the following rights: the right to backup files and directories, and the right to manage auditing and the security log. To continue use an account with both of these rights.

The account being used is in the Administrators group.  However the corporate GPO does not assign the right to "manage auditing and security log" to any local user or group.  This setting is not able to be changed by any of the machine's local accounts. 

We were able to install SP1 successfully but both SP2 and SP3 failed on this issue. 

How can we install SP3 without that privilege being a pre-requisite or without performing this check?

---

Edward R. Joell MCSD MCDBA

Answer 1

 

Hello,

Please try the resolution posted in the following article or disable temporarily the policy.

http://support.microsoft.com/kb/2000257

Hope this helps.

Regards,

Alberto Morillo
SQLCoffee.com

Answer 2

Please note that as stated above we have no rights to do anything to that policy.  We already tried that.

---

Edward R. Joell MCSD MCDBA

Answer 3

 

Hello,

SQL Server is designed to be installed with those rights. The workarounds I posted on my previous post are the only ones I know for this issue.

 Hope this helps.

Regards,

Alberto Morillo
SQLCoffee.com

Answer 4

Does not help, because we do not have the rights to implement the work-around

---

Edward R. Joell MCSD MCDBA

Answer 5

Do you have some other way to disable this Group Policy?

---

Edward R. Joell MCSD MCDBA

Answer 6

Hi joeller,

You could try to install SQL Server Service Pack from Command Prompt.
Reference: Installing Updates from the Command Prompt: http://msdn.microsoft.com/en-us/library/dd638066(v=sql.100).aspx.

Thanks,
Maggie

 

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help. This can be beneficial to other community members reading the thread.

Answer 7

Did not work.   Same error.

---

Edward R. Joell MCSD MCDBA

Answer 8

 

Hello,

On a domain environment, there is no way a non-administrator user can overcome a GPO policy.

Hope this help.

Regards,

Alberto Morillo
SQLCoffee.com

Answer 9

Actually we are members of the local machine administrators group.  So why can't we overcome the GPO?

Then why were we able to install SP1?  How are we supposed to get the subsequent services packs to SQL Server 2008?

---

Edward R. Joell MCSD MCDBA

Answer 10

Actually we are members of the local machine administrators group.  So why can't we overcome the GPO?

Then why were we able to install SP1?  How are we supposed to get the subsequent services packs to SQL Server 2008?

---

Edward R. Joell MCSD MCDBA

For exactly that reason, you're a member of the LOCAL Admin group, not the Domain Admin group.  The policies set by the Domain Admin overrule the Local Admin, the theory being that the Domain Admin knows best.

You were likely able to install SP1 because the policy that is currently preventing you from installing didn't exist at the time.

Answer 11

That is not correct. We installed SP1 because we were unable to install first SP 3, then SP2. There was no change in policy in those ten minutes.

---

Edward R. Joell MCSD MCDBA

Answer 12

Hi Edward

Have you found the solution to this?

I am having the same problem.

Answer 13

Nope.  I sure hope that SP2 and 3 were not about security issues.  The Navy would not be happy if a machine got hacked because the service pack would not install merely because the local adminstrator was not allowed to manage auditing and the security log.

---

Edward R. Joell MCSD MCDBA

Answer 14

I know it might be a little late to answer this :) but I guess it will be good for other people with the same problem, what I did was reset the password for one of the local users in my case the administrator which had the name changed as well, grant all the privileges needed to that user then install.

in case you any of you guys don't know I will put the step by step here:

C:\Windows\System32\lusrmgr.msc

click Users.

Choose an User from the list. if the account is disabled, well enable it

click the member of tab then click add / Advanced / Find Now and add the user to the right role/group then click OK

in case the user already has the rights you won't need to do the above mentioned.

the last thing is to change the password for that user if you don't know it right click the user name and click Set Password.

now try to log in as that user, usually you log in like DOMAIN\USERNAME here you will need to MACHINENAME\USERNAME for the user name.

I don't encourage you to do this without permission, so do it at your own risk, first ask if you should do it.

I hope this could help anyone.

Answer 15

grant all the privileges needed to that user then install.

However the corporate GPO does not assign the right to "manage auditing and security log" to any local user or group. This setting is not able to be changed by any of the machine's local accounts.

Note above from original post, that we are not able to "grant all the privileges needed to that user."  For all accounts whether machine local, domain, new or existing accounts, this privilege is not granted and not grantable.  We ended up removing SS 2008 and installing SS 2008 R2 client tools last June.  This not an answer, but we no longer need it.  While I would be tempted to keep it open for those people, some Moderator will invariably mark an unworkable answer as the correct answer.  In addition, in most cases no one post question open that long.  So I am going to mark this as the answer and if anyone is still having this issue I would advise her or him to open a new thread.

---

Edward R. Joell MCSD MCDBA