locked
service account question RRS feed

  • Question

  • Hello,

    there are multiple identical questions but in different scenarios.

    Let me ask too :)

    Setting up SQL 2012 on Server 2012. Planning to use it in Production so following best practices for partitions allocation units size and etc.

    Would like to know the right/best/practical use of service account.

    I want to create domain user. Add it to local admin group on the server and use that account.

    Is this right? I am installing SQL as Domain Admin.

    Thanks.


    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

    Friday, June 13, 2014 3:29 PM

Answers

  • Hi,

    You dont have to give any additional permissions when using a domain account as a service accounts. Setup will give necessary permissions during the setup process. They are not even directly added to service accounts but to the per-service-SIDs which means they service actually gets permissions. This will make sure that the service accounts themselves have no additional permissions.

    Regarding MS recommendations, They say either a Managed Service Account or a Virtual Account. But again Virtual accounts cannot be used with clusters. They are newly introduced concepts from windows 2008 r2 onwards. Honestly I havent used either of them because of different company standards.


    Regards, Ashwin Menon My Blog - http:\\sqllearnings.com

    • Marked as answer by pob579 Friday, June 13, 2014 4:57 PM
    Friday, June 13, 2014 3:53 PM
    Answerer
  • If you're not using an AlwaysOn FCI or AG and not using Transparent Database Encryption, then the default Virtual Account is preferred.

    David


    David http://blogs.msdn.com/b/dbrowne/

    • Proposed as answer by Naomi N Friday, June 13, 2014 4:43 PM
    • Marked as answer by pob579 Friday, June 13, 2014 4:57 PM
    Friday, June 13, 2014 4:34 PM

All replies

  • For service accounts you should not give it any unnecessary permissions. It needs the least permissions. Take a look at this article.

    http://msdn.microsoft.com/en-us/library/ms143504.aspx


    Regards, Ashwin Menon My Blog - http:\\sqllearnings.com

    • Proposed as answer by Shanky_621MVP Friday, June 13, 2014 3:35 PM
    Friday, June 13, 2014 3:32 PM
    Answerer
  • I want to create domain user. Add it to local admin group on the server and use that account.

    Is this right? I am installing SQL as Domain Admin.

    With security perspective this is not correct way please refer to link posted by Ashwin. Unless requires always use principal of least privileges believe me it saves lot of hassles.

    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it.

    My TechNet Wiki Articles

    Friday, June 13, 2014 3:35 PM
  • Ashwin,

    thanks for the link. I am not pretending to be SQL admin. So really to read all,  a bit a lot.

    Surely, I understand that local admin rights are too much...

    Let me ask differently...

    Theoretically default MS accounts provided under service accounts should be the best option

    Could you please just say why people using domain account. And what priviliges for this account would be sufficient to make SQL work  to such account instead of full local admin rights.

    I need 3 services:

    SQL Server Database Engine

    SQL Server Agent

    SQL Server Browser

    Thanks.


    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis


    • Edited by pob579 Friday, June 13, 2014 3:46 PM
    Friday, June 13, 2014 3:42 PM
  • Hi,

    You dont have to give any additional permissions when using a domain account as a service accounts. Setup will give necessary permissions during the setup process. They are not even directly added to service accounts but to the per-service-SIDs which means they service actually gets permissions. This will make sure that the service accounts themselves have no additional permissions.

    Regarding MS recommendations, They say either a Managed Service Account or a Virtual Account. But again Virtual accounts cannot be used with clusters. They are newly introduced concepts from windows 2008 r2 onwards. Honestly I havent used either of them because of different company standards.


    Regards, Ashwin Menon My Blog - http:\\sqllearnings.com

    • Marked as answer by pob579 Friday, June 13, 2014 4:57 PM
    Friday, June 13, 2014 3:53 PM
    Answerer
  • Ashwin,

    super answer!

    This particular server will not be a central SQL server for the company and will contain 2 DBs.

    I would be very happy to keep default  Virtual Accounts. I can always revert the installation and try the other options. Would be even interesting to know if it will not affect app functionality

    From your perspectives would default virtual accounts fit above requirement.

    About domain account, your explanation is very clear.

    So I continue the installation under domain admin account and for service account enter BASIC domain user name.

    Thanks.


    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

    Friday, June 13, 2014 4:13 PM
  • If you're not using an AlwaysOn FCI or AG and not using Transparent Database Encryption, then the default Virtual Account is preferred.

    David


    David http://blogs.msdn.com/b/dbrowne/

    • Proposed as answer by Naomi N Friday, June 13, 2014 4:43 PM
    • Marked as answer by pob579 Friday, June 13, 2014 4:57 PM
    Friday, June 13, 2014 4:34 PM
  • Thanks David.

    I will use Standard edition so no clustering.

    And I will give a try to default service accounts.

    But I found interesting to know that for service account I can use domain user account without any privileges on local machine.


    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

    • Marked as answer by pob579 Friday, June 13, 2014 5:51 PM
    • Unmarked as answer by Naomi N Friday, June 13, 2014 6:01 PM
    Friday, June 13, 2014 4:57 PM
  • >But I found interesting to know that for service account I can use domain user account without any privileges on local machine.

    It still needs _some_ like the privilege to log on as a service.  But the privileges needed to run SQL Server are assigned to the per-service SID, not the service account.

    David


    David http://blogs.msdn.com/b/dbrowne/

    Friday, June 13, 2014 5:01 PM
  • David and one more thing...

    I can profit the moment that talking to forum moderator :)

    I guess it will be a good idea if the option to mark more than one answer as "Mark as answer".

    I have to Mark your answer because this is the right answer.

    But I marked before the answer of Ashwin.

    If I mark yours his answer will be unmarked.

    Thanks!


    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

    Friday, June 13, 2014 5:19 PM
  • You can mark as many answers as you feel fit. There is no limitations for number of answers per thread.

    For every expert, there is an equal and opposite expert. - Becker's Law


    My blog


    My TechNet articles

    Friday, June 13, 2014 5:24 PM
  • I tried...

    when click Mark... on a new answer another previously Marked as Answer becomes Unmarked.


    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

    Friday, June 13, 2014 5:37 PM
  • It didn't. Right now there are 2 answers marked in this thread. But the first marked answer shows at the left pane.

    For every expert, there is an equal and opposite expert. - Becker's Law


    My blog


    My TechNet articles

    Friday, June 13, 2014 5:47 PM
  • tried again...

    Ashwin's answer was Marked.

    Then I clicked Mark for David's answer Ashwin's became Unmarked.

    Did refresh - both are marked.


    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

    Friday, June 13, 2014 5:55 PM