Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
kensai
Posting Yak Master
172 Posts |
 Posted - 2010-09-27 : 10:28:59
|
| Our current SQL Server service is running under Local System account. To backup to a network/mapped drive I'm thinking of running it under a domain administrator account. Would such account change break something with SQL Server? |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2010-09-27 : 10:33:53
|
| It won't break anything, but it's not a good idea to use a domain administrator account. If someone compromises your SQL Server they could inherit domain admin privileges and do anything a domain admin can.Better to set up a domain account with just enough privileges to do what you need it to do...file access, run services, lock pages in memory, and only enough access to other servers to get your backups copied. |
 |
|
|
kensai
Posting Yak Master
172 Posts |
Posted - 2010-09-29 : 04:28:35
|
| Thank you for the info robvolk.I created a user on active directory. Gave it admin rights on local box which will make backups. Changed SQL Server service account to this new account. Created a share on network and gave it full control to this new account and Domain Computers. I can now make backups to this network share without any problems. It is probably not the safest route but I couldn't find exact list of required permissions for the Sql Server service accounts and I'm ok with this setup. |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2010-09-29 : 07:45:57
|
| You can pare back the local Admin rights to:- Add login to SQL Server's sysadmin server role- Run as a service (Run gpedit.msc, under User Rights Assignment, can't remember the exact path)- Lock pages in memory (gpedit.msc, needed for AWE memory use, same as above)- Folder permissions for local backup files- MSDTC permissions (only necessary if you use linked servers)If you get the first 2 settings done, you should be able to remove it from the local Admin group without affecting it. If you have problems with the file/folder permissions, try adding it to Power Users before putting it back into Admin. You can work out more granular folder permissions as you go.The MSDTC permissions may not be necessary and are kind of a pain to configure. Don't worry about them for now unless you're immediately experiencing problems with linked server permissions.You may also want to remove BUILTIN\Administrators from SQL Server's logins. Be careful though, make sure you register another sysadmin login besides SA that you can log in with. Even better, create a Windows domain group for SQL admin access and add the group to SQL Server, then add the appropriate Windows users (including the service account) to that group. |
|
|
|
|
|
|
|
|
Running SQL Server service under administrator