Post reply

SQL Accounts in Local Administrator group, any reason for this?

  • August 16, 2013 at 2:19 pm

    #278790

    We have a SQL 2008 server where all of the SQL service domain accounts (Engine, Agent, Reporting, Analysis) are in the local Administrators group. I'm unable to find any documentation that shows that this is required, but I'm leery of removing them just in-case.

    Anyone know of anything that may have caused my predecessor to setup the server like this?

    Thanks

  • August 16, 2013 at 2:41 pm

    #1642321

    while admin is not strictly required, and probably it's ideal for the service account to not be admin, there are lots of different permissions required by the service account. many are specified here: http://msdn.microsoft.com/en-us/library/ms143504(v=sql.100).aspx

    A lot of them are granted to local admin by default, saving you the trouble of explictly granting them to the service account. Also, there are issues like what you are going to do with SQL SErver... are you going to use xp_commandshell to write out files to various directories on the server. If so, now you need to explictly grant those permissions.

    In short, granting local admin gives you a bit of flexilbity and avoids lots of "Gotchas"... but yeah, you can make it work without local admin.

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply