Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Administration
 Best Practices for Service Accounts in SQL 2008

Author  Topic 

misnole
Starting Member

5 Posts

Posted - 2011-02-18 : 14:21:13
I'm trying to put together a document to present to the lead network engineer in regards to my new SQL 2008 installation. Our current SQL2005 instance runs under a admin domain account, but I am trying to move away from that and use a domain account that has has minimally privileged rights.

Would it be acceptable to run the following services under one domain account or should I use separate accounts for each service:
1. SQL Server Agent
2. SQL Server Database Engine
3. SQL Analysis Services
4. SQL Reporting Services
5. SQL Server Browser

From my research, it would appear that I could create this account and give it the following permissions:
1. Add to Pre-Window Compatible Access group
2. Permission to log on a service, which I would request be done through Group Policy [url]http://tinyurl.com/4nhfugf[/url]

In addition, if I were to use the same domain account to run the SQL Srvice Agent, it would need the following permissions [url]http://tinyurl.com/b5zykd[/url]
1. Permission to bypass traverse checking
2. Permission to replace a process-level token
3. Permission to adjust memory quotas for a process
4. Permission to log on using the batch logon type

Any thoughts on this?

jeffw8713
Aged Yak Warrior

819 Posts

Posted - 2011-02-18 : 20:18:25
I will normally run all SQL Services on a single node under one service account. The only time I split it up is if there are specific requirements for accessing network resources that I want to separate out by service.

You do not have to set any of the above privileges. All the permissions you need will be set when you install SQL Server - as long as you install using your service account. If you change it later, you just need to change it using configuration manager and that should set all the privileges you need.

The only additional settings that you will want to set are:

Lock pages in memory right
Perform volume maintenance tasks

Both of those are set in local policy editor - and you just need to add the service account to those local policies.

Jeff
Go to Top of Page
   

- Advertisement -