Re: Account Recommendations

---

• From: "Ben Nevarez" <bnevarez@xxxxxxx>
• Date: Sun, 13 Nov 2005 16:11:04 -0800

---

What I do is:

I use a Windows domain account for both SQL Server and SQL Server Agent. I
Do not give any permissions to this account. Do not add it to the local
Administrators group. The SQL Server setup will give this account the
required permissions. By using this domain account SQL Server will be able
to access resources on the network (after permissions are granted).

I give a strong password to sa but do not use this account.

Try to have the members of sysadmin to a minimum.

Ben Nevarez



"Jason Callas" <jcallas@xxxxxxxxxx> wrote in message
news:%23rKhwdw5FHA.3984@xxxxxxxxxxxxxxxxxxxxxxx
>I got a weird permission issue with scheduled DTS packages trying to access
>files using UNC naming convention. (It did not work... access denied.) Even
>though the scheduled job (through SQL Job Agent) was owned by a domain
>account it did not work. I had to changed the job agent service to run
>under a domain account to fix it.
>
> Anyways... this got asking...
>
> What is the recommended setup for running SQL and its associated services?
>
> SQL Server - domain account / member of local Administrators group /
> member of SQL System Administrators group
>
> sa account - server account (no idea what to do with this one or what
> it is for) / owner of my scheduled jobs
>
> SQL Job Agent - domain account / same as SQL server process
>
> SQL Report Server - domain account / same as SQL server process
>
> Pertinent questions:
>
> 1. Should I be using the same domain account for all these services?
> 2. Should the accounts used be part of the local administrators group?
> 3. For job agent and report server, does the account need to be part of
> SQL System Administrators?
> 4. Am I correct in needing a domain account for job agent in order to
> access files via UNC in DTS?
>
> Not sure if I am missing any other questions....
>
>
> Thanks.
> - Jason
>


.

---

• References:
  • Account Recommendations
    • From: Jason Callas

• Prev by Date: Re: Which of the following installs aren't required with SQL 2005?
• Next by Date: Re: Cannot find Managent Studio
• Previous by thread: Account Recommendations
• Next by thread: Re: Cnames with SQL Server
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Problems changing the password for the service account in SQL ... Adding the domain account which runs SQL Server into SQL Server doesn't ... Server if it is running under the domain account. ... Admin-SQL, Logon Exec - exception from ... (microsoft.public.sqlserver.security) Re: Problems changing the password for the service account in SQL ... It is because there is BULTIN\Administrstors Login that alllow access to ... You have a domaim account group that SQL Server ... this domain account in SQL Server ... (microsoft.public.sqlserver.security) SQL services failing on startup ... The services are set to autostart using a windows account. ... The account is restricted to logon only to computers ... for several months, the last two weekends, SQL Server has failed to startup ... The domain account was a member of the local admin group. ... (microsoft.public.sqlserver.server) Re: Connections errors ... Jasper Smith (SQL Server MVP) ... accounts and not the NT domain account. ... >> been observing connection errors that we can trace back ... (microsoft.public.sqlserver.security) Re: Error 15401 using sp_grantlogin (not addressed by current KB articles) ... Restarting Windows 2000 resolved the problem for this particular account, ... confused when it sees a duplicate SID. ... > One way to get SQL Server to agree with the renamed NT ... > Preview (to ensure the script was created), ... (microsoft.public.sqlserver.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > SQL-Server  > microsoft.public.sqlserver.setup  > 2005-11