SQL DBA Permissions

  • Thread starter Thread starter Chris Lisi
  • Start date Start date
C

Chris Lisi

I want to avoid giving my SQL DBA enterprise/domain admin
rights, has anyone setup a delegation for a SQL DBA that
gives them all the rights they need, to include
installation service packs, without giving them the keys
to the castle. Thanks
 
I want to avoid giving my SQL DBA enterprise/domain admin
rights, has anyone setup a delegation for a SQL DBA that
gives them all the rights they need, to include
installation service packs, without giving them the keys
to the castle. Thanks
Click to expand...

Power Users doesn't get them what they need?

Jeff
 
In an AD network, I am looking for a delegation of the
proper permissions. Are you suggesting that I just add
the DBA group to the local Power Users group on the SQL
Boxes? This is the description caption for Power
Users, "Power Users possess most administrative powers
with some restrictions. Thus, Power Users can run legacy
applications in addition to certified applications". See
my DBAs have domain admin right on the NT4 domain and are
used to certain things, but I want to revoke a good
portion of those rights, they do not need "god" rights, I
am that almost everyone understands why.
 
If you want them to install service packs, they'll need to be administrators
of the box. However, being an administrator of an individual machine
doesn't mean that they have to be domain administrators. You can either
apply this change by placing their accounts, or a domain global group
containing their accounts, into the local administrators group on each
machine they need to administer.

You are talking about the account your DBA uses to log on and not the SQL
Server service account (which requires surprisingly low privileges at the
machine it's running on), aren't you?

Oli
 
Yes the domain login accts. I want to restrict them as
much as possible. Are there any AD tricks that I can do
as far as delegation? Thanks, I am not really familiar
with what SQL needs and what most companies give the DBAs
security wise. Thanks
 
You are talking about the account your DBA uses to log on and not the
SQL Server service account (which requires surprisingly low privileges
at the machine it's running on), aren't you?
Click to expand...

While we're on the subject, what permissions does the service account for SQL
require?
I recently attended the MS security presentation in Melbourne, and we were
advised that the service acct only needs restricted privileges, but I have
been unable to find out exactly what it needs.

It would be nice if MS provided a web page stating what the various services
(SQL, Exchange, SMS etc.) need in order to operate correctly. Having it all
listed on one page would make it very convenient.

Andy.
 
In an AD network, I am looking for a delegation of the
proper permissions. Are you suggesting that I just add
the DBA group to the local Power Users group on the SQL
Boxes? This is the description caption for Power
Users, "Power Users possess most administrative powers
with some restrictions. Thus, Power Users can run legacy
applications in addition to certified applications". See
my DBAs have domain admin right on the NT4 domain and are
used to certain things, but I want to revoke a good
portion of those rights, they do not need "god" rights, I
am that almost everyone understands why.
Click to expand...

Local Administrator of the SQL Server wouldn't give them domain admin
rights. Create a SQL Admins group and add it to the local
administrators group on your SQL Servers, then put the SQL
administrators in that group.

Jeff

 
I've had SQL Server 2000 running under an account that's only a member of
the guests group on the box, with the only side-effect that I could see
being a message in the event log when the service started regarding port
1433 and being unable to attach permanently (sorry, being very vague here).
Anyway, it certainly was listening on the right port and I couldn't find any
problems for my particular application.

Bear in mind I'm no SQL Server expert, though. You might be better off
asking in one of the SQL Server groups.

Regards

Oli
 
Back
Top