January 31, 2008 at 2:41 pm
Hello everyone,
I am in need of building a case of reasons why it is required for the SQL DBA and the SQL service account to have local administrator authority on SQL server boxes. My current access to the SQL servers is not a local or domain administrator account it is a sort of a tweaked users account. Meaning… my account is given access to certain pieces of the registry, file or dlls as issues arise and the Network Administrator identifies the pieces and grants access. There are some things that I am just unable to do like restart the SQL services through Enterprise Manager. I have found this is making our environment very unpredictable. The latest is full text searches stopped working when we replace the SQL service account with a non-local administrative account. I believe that I need the local administrator authority to do my job, and now I must prove it.
Any help would be greatly appreciated!!!!
January 31, 2008 at 3:16 pm
.... like restart the SQL services through Enterprise Manager. ....
AND
.... The latest is full text searches stopped working when we replace the SQL service account with a non-local administrative account. ....
Should be proof enough. 😀
Just explain that these are necessary tasks for a DBA
______________________________________________________________________
Personal Motto: Why push the envelope when you can just open it?
If you follow the direction given HERE[/url] you'll likely increase the number and quality of responses you get to your question.
Jason L. SelburgFebruary 1, 2008 at 8:27 am
I totally agree.
If your system is behaving oddly then this would be a good start.
Also the Agent does do a lot on the server. Running jobs for one thing and these jobs can do all sorts of things from data updates to communicating with other servers and copying files. So local admin privileges should be a minimum.
If you are using a clustered solution then you must be an administrator at all nodes.
If you are using replication, then the replication agents will need read and write access to various locations for deployment of snapshots.
The senior DBAs in my team are part of an AD group and this group is put in the local admins group of the sql servers. This gives them sysadmin writes on the server without being domain admins.
We also use a domain admin account for our agent and sql service...one could argue the pros and cons about this but as long as your password policy is maintained then you should not have a problem.
HTH
Graeme
February 1, 2008 at 9:35 am
You need what you need. Either rights (meaning administrator or extra rights) or someone on call to fix things you can't.
I've gone back and forth on this over the years. I don't think you need admin rights, but you definitely need support.
Also, you shouldn't have a "tweaked" user account. You should have a role that's gotten additional rights. If you hire a second DBA or you leave and your replacement comes in, it's a pain to move rights.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply