Saturday, February 25, 2012

Account to Run SQL under?

Its not a wise choice to make the User IDs local to the
server, the reason is that non local user id's (i.e.
domain accounts) can be allocated email accounts so sql
server can send emails, whereas local userid's cannot.
If you do not want local administrators to have system
admin access rights then all you need to so is restrict
the BUILTIN\Administrators rights.
Peter
"Only two things are infinite, the universe and human
stupidity, and I'm not sure about the former."
Albert Einstein

>--Original Message--
>Currently, our network/server/domain admins have admin
control of our sql
>servers. One manager wants to run sql under a special
local admin account
>to restrict this access, but then we will be effected by
the password change
>requirement, which could break sql every 90 days.
>What is the best way to run sql so that the server admins
don't have sql
>admin access? Can I run it under "local system", and
restrict machine
>admins?
>
>.
>
First of all, it is imposible to stop God from having access. And, in the
domain, Domain Administrators are God. However, you can slow them down
quite a bit. Here is a KB that details the procedures. Also know that if
you use AD Global Groups to grant the SQL Server DBAs administrative access,
which is a Best Practice, all the Domain Admin has to do is add themself or
the Domain Admins group to yours.
How to impede Windows NT administrators from administering a clustered
instance of SQL Server
http://support.microsoft.com/kb/263712/EN-US/
How to change the SQL Server or SQL Server Agent Service account without
using SQL Enterprise Manager in SQL Server 2000
http://support.microsoft.com/default...b;en-us;283811
If you suspect foul play, it would be better to run some sort of Audit
Logging on your system and then once captured, bring it the attention of the
Data Center Director's attention. Keep in mind that just like the DBAs,
with great power comes great responsibility. No one should be placed in a
role that they are not qualified, and responsible for, to perform.
Just like the DBAs have the authority to delete every user/system database,
the responsibility is to preserve that data. It is no different for the
Domain Admins. They have the authority to disrupt operations but the
responsibility to preserve them. If you find an individual, or team, that
does not play by these rules, that must be made know to the Operations
Manager, regardless of the title or the position of the offender.
Sincerely,
Anthony Thomas

"Peter The Spate" <anonymous@.discussions.microsoft.com> wrote in message
news:05b901c51b4e$87a454e0$a501280a@.phx.gbl...
Its not a wise choice to make the User IDs local to the
server, the reason is that non local user id's (i.e.
domain accounts) can be allocated email accounts so sql
server can send emails, whereas local userid's cannot.
If you do not want local administrators to have system
admin access rights then all you need to so is restrict
the BUILTIN\Administrators rights.
Peter
"Only two things are infinite, the universe and human
stupidity, and I'm not sure about the former."
Albert Einstein

>--Original Message--
>Currently, our network/server/domain admins have admin
control of our sql
>servers. One manager wants to run sql under a special
local admin account
>to restrict this access, but then we will be effected by
the password change
>requirement, which could break sql every 90 days.
>What is the best way to run sql so that the server admins
don't have sql
>admin access? Can I run it under "local system", and
restrict machine
>admins?
>
>.
>

No comments:

Post a Comment