locked
Change service accounts from Domain Admin to local Admin SQL Cluster RRS feed

  • Question

  • Hi

    We have some SQL Clusters in our enviroment, the previous administrator made user accounts for the sql cluster services, but he put these accounts in the Domain admins group, the security staff ask me to remove them from this group, but I don't know if this would raise issues for the SQL cluster.

    I thought would be better to put this accounts in the local Administrators group in every server's cluster and remove these accounts from the Domain Admins group, but we can not restart the server....

    Is this possible? or is it neccesary to do another extra procedure?

    Thanks in advance.


    Doc MX

    Tuesday, December 10, 2013 12:52 AM

Answers

  • Your SQL Server service accounts don't even need to be local Administrators. Ordinary domain user account works fine. SQL Server Configuration Manager will grant the necessary permissions and ACLs to the service account. Of course, you need to start evaluating everything else that runs in the context of your service account - backups, SQL Server Agent jobs, etc. Plus, ordinary domain user accounts without local Administrator rights do not have the Perform Volume Maintenance Tasks privilege (used for instant file initialization) on your cluster nodes. No need to restart the SQL Server service (or, in the case of a failover cluster, failover and failback) since it uses the same domain user account - only the permissions and ACLs change but not the SID.


    Edwin Sarmiento SQL Server MVP | Microsoft Certified Master
    Blog | Twitter | LinkedIn
    SQL Server High Availability and Disaster Recover Deep Dive Course


    Saturday, December 21, 2013 4:33 PM

All replies

  • Hi

    We have some SQL Clusters in our enviroment, the previous administrator made user accounts for the sql cluster services, but he put these accounts in the Domain admins group, the security staff ask me to remove them from this group, but I don't know if this would raise issues for the SQL cluster.

    I thought would be better to put this accounts in the local Administrators group in every server's cluster and remove these accounts from the Domain Admins group, but we can not restart the server....

    Is this possible? or is it neccesary to do another extra procedure?

    Thanks in advance.


    Doc MX

    Hello,

    It is always recommended to run Cluster service with domain account having lest privileges.Running with local account can have issues like when SQL server restarts the account looses logon rights due to AD policy (have seen this issue many times) now suppose by any cause SQL server stops at midnight it wont start as local account will loose privileges.So get a domain service account created below link will surely be helpful

    http://technet.microsoft.com/en-us/library/ms345578.aspx

    http://technet.microsoft.com/en-us/library/cc784325(v=ws.10).aspx


    Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers



    Tuesday, December 10, 2013 5:31 AM
  • Hi Shanky

    Ok in my case, I won't use a local account, I'll just put that service domain account in the local administrators group in every cluster's server, after that, I'll remove that service domain account from the domain admins group.

    If I do that, I have to restart the servers? or what I should I have to do to avoid interruption of the SQL cluster services to all my users?


    Doc MX

    Saturday, December 21, 2013 2:40 PM
  • Your SQL Server service accounts don't even need to be local Administrators. Ordinary domain user account works fine. SQL Server Configuration Manager will grant the necessary permissions and ACLs to the service account. Of course, you need to start evaluating everything else that runs in the context of your service account - backups, SQL Server Agent jobs, etc. Plus, ordinary domain user accounts without local Administrator rights do not have the Perform Volume Maintenance Tasks privilege (used for instant file initialization) on your cluster nodes. No need to restart the SQL Server service (or, in the case of a failover cluster, failover and failback) since it uses the same domain user account - only the permissions and ACLs change but not the SID.


    Edwin Sarmiento SQL Server MVP | Microsoft Certified Master
    Blog | Twitter | LinkedIn
    SQL Server High Availability and Disaster Recover Deep Dive Course


    Saturday, December 21, 2013 4:33 PM