locked
SQL Privileges required to run SQL Server and SQL Agent RRS feed

  • Question

  • We are attempting to lock down our SQL installation by running in "Least Privilegeed Mode".  From reviewing available documentation (specifically: http://msdn.microsoft.com/en-us/library/ms143504.aspx) we understand that a WinNT Domain User

    is sufficient for the server account (for both SQL Server and SQL Server Agent).  What is not clear is what, if any SQL privileges are required.  I.e. is PUBLIC sufficient for the actual running of SQL Server/Server Agent?  Or must the selected NT account be designated as a SQL SysAdmin?  I have an instance of SQL 2008 running with an NT account that only has Public permissions – but I don’t know if this will result in some failures if, say, we attempt a backup/restore, add or delete a database or table, etc. 

    Any information that could help here is greatly appreciated.

    Thursday, December 3, 2009 12:32 AM

Answers

  • By default, SQL Server 2008 installation will create a security group called SQLServer2005MSSQLUser$ComputerName$MSSQLSERVER and agent with the correct rights. You just need to create a domain user and add that domain account as member of that group.
    The SQL Server Agent service account requires sysadmin privilege in the SQL Server instance that it is associated with.
    Have a look at the document anyway - http://download.microsoft.com/download/8/5/e/85eea4fa-b3bb-4426-97d0-7f7151b2011c/SQL2005SecBestPract.doc
    Thanks, Leks
    Thursday, December 3, 2009 1:04 AM
  • The domaiin account which you have choosed for SQL Agent service must has sysadmin privilege in SQL Server else you wont be able to start SQLAgent service.
    As an alternative you can try what Lekss said, just add the domain ID to the default group, at the time of installation SQL Server will provide the least privilege required for the group.


    http://sql-articles.com/articles/general/sql-server-service-accounts
    Vidhya Sagar. Mark as Answer if it helps!
    Thursday, December 3, 2009 7:03 AM

All replies

  • By default, SQL Server 2008 installation will create a security group called SQLServer2005MSSQLUser$ComputerName$MSSQLSERVER and agent with the correct rights. You just need to create a domain user and add that domain account as member of that group.
    The SQL Server Agent service account requires sysadmin privilege in the SQL Server instance that it is associated with.
    Have a look at the document anyway - http://download.microsoft.com/download/8/5/e/85eea4fa-b3bb-4426-97d0-7f7151b2011c/SQL2005SecBestPract.doc
    Thanks, Leks
    Thursday, December 3, 2009 1:04 AM
  • The domaiin account which you have choosed for SQL Agent service must has sysadmin privilege in SQL Server else you wont be able to start SQLAgent service.
    As an alternative you can try what Lekss said, just add the domain ID to the default group, at the time of installation SQL Server will provide the least privilege required for the group.


    http://sql-articles.com/articles/general/sql-server-service-accounts
    Vidhya Sagar. Mark as Answer if it helps!
    Thursday, December 3, 2009 7:03 AM