service account

Question

Post reply

service account

sqlfriend

SSC Guru

Points: 52588
More actions
March 31, 2011 at 12:33 pm

#233951

We have a SQL server 2008, using for exmaple myorg\sqlsvc a domain account for sql agent service account.

I remember I read from microsoft article, the service account has to be a sysadmin role.

Is that still true to SQL server 2008?

In our sql server 2008, I can see there is a login called NT service\SQL serveragent group, which has a sysamin role.

But how can I find out our current service account myorg\sqlsvc is also a sysadmin role?

Thanks

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply

Adiga One Orange Chip Points: 27284 More actions · Answer 1

Adiga

One Orange Chip

Points: 27284

March 31, 2011 at 1:47 pm

#1306181

If the service account is part of the group that you had mentioned, then it would have sysadmin rights on the instance. Do you see a login for myorg\sqlsvc in SSMS? If yes, the properties of it should confirm what permissions it has on the instance.

Pradeep Adiga
Blog: sqldbadiaries.com
Twitter: @pradeepadiga

sqlfriend SSC Guru Points: 52588 More actions · Answer 2

You said, "If the service account is part of the group that you had mentioned, then it would have sysadmin rights on the instance."

No, I can only see NT service\SQL serveragent group in SSMS login, but I cannot see there is a group in windows like this one, so I cannot check if myorg\sqlsvc in it or not?

You said:

"Do you see a login for myorg\sqlsvc in SSMS? If yes, the properties of it should confirm what permissions it has on the instance. "

No, I cannot see it's there.

The sql server is installed by someone else, so now my question is it seems myorg\sqlsvc is not a sysadmin, how can it be run all this time?

or where else can I found the service account is a sysadmin?

Thanks

Adiga One Orange Chip Points: 27284 More actions · Answer 3

Adiga

One Orange Chip

Points: 27284

March 31, 2011 at 2:04 pm

#1306188

A SQL Server Login has to be explicitly granted access or through group membership. Hence the Agent service account has to be part of a group, since you don't find it granted explicitly.

Pradeep Adiga
Blog: sqldbadiaries.com
Twitter: @pradeepadiga

sqlfriend SSC Guru Points: 52588 More actions · Answer 4

sqlfriend

SSC Guru

Points: 52588

March 31, 2011 at 2:10 pm

#1306190

1. I thought when intalling, it will automatically add this account to the group, SQLServerSQLAgentUser$computername $MSSQLSERVER

2. does it mean we now need to manually add this account to the above group?

3. So if it was not granted as sysamin, how come it can be run in all past time?