My SQL Server 2005 runs on a local account. Is it neccesary to assign this login in SQL to a System Administrator role?
And is there any difference in SQL Server 2000?
thanks
Przemo
Hello! I have the following problem. I developed CLR Stored Procedure "StartNotification" and deploy it on db. This sp calls external web service. Furthermore, this sp is called according with SQL Server Agent Job's schedule. On my PC SQL Server works under Local System account and this web service is called correctly (Executed as user: NT AUTHORITYSYSTEM). But on ther other server the following exception is raised during job running:
Date 17.04.2007 16:42:10
Log Job History (FailureNotificationJob)
Step ID 1
Server MSK-CDBPO-01
Job Name FailureNotificationJob
Step Name MainStep
Duration 00:00:00
Sql Severity 16
Sql Message ID 6522
Operator Emailed
Operator Net sent
Operator Paged
Retries Attempted 0
Message
Executed as user: CORPmssqlserver.
A .NET Framework error occurred during execution
of user defined routine or aggregate 'StartNotification':
System.Security.SecurityException: Request for the permission of type
'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089' failed. System.Security.SecurityException:
at System.Security.CodeAccessSecurityEngine.Check(Object demand,
StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.Net. The step failed.
What is the reason of this behaviour? Unfortunately I do not have direct access to this server.
I have the following guesses:
1) CORPmssqlserver may have not enough permissions to call web service
2) Something wrong with SQL Server account's permissions
2) Something wrong with SQL Server Agent account's permissions
I will take the will for the deed. Thanks.
During install of SQL Server 2005, we can of course use a domain account or the built-in system account for running the services. I lean toward domain for obvious reaons but would like to know a +/- to each option and why I'd choose one over the other and what consequences or limitations one may encounter if I choose one over the other.
View 6 Replies View RelatedIf you were to do a fresh install it would set permissions on the disk so everything just works.
Now when changing the service account (e.g. to a domain user) use the configuration manager, does it do the same magic (possibly sans if the database data/log files are on another disk)? Or do you need to trawl through the dozens of folders and assign rights manually?
I just set up a SQL 2005 Server about a month ago that we will be moving all of our scattered DBs onto. I basically set it up with the default settings and didn't touch anything special, until I tried to install Microsoft System Center Essentials 2007 in our environment. I had problems getting it to use our SQL server, and a forum post told me to change all of the service accounts for SQL to use the LocalSystem login. So here are my service accounts:
SQL Server Integration Services
- NT AUTHORITYNetworkService
SQL Server FullText Search (MSSQLSERVER)
- LocalSystem
SQL Server (MSSQLSERVER)
- LocalSystem
SQL Server Analysis Services (MSSQLSERVER)
- LocalSystem
SQL Server Reporting Services (MSSQLSERVER)
- LocalSystem
SQL Server Browser
- LocalSystem
SQL Server Agent (MSSQLSERVER)
- LocalSystem
So Sandisk makes this software called CMC. It's for controlling their enterprise USB drives. And their software won't install. It errors out saying that it couldn't drop the database on our SQL server (but it doesn't exist). If I make an empty DB by the same name, it sees it, and then errors out anyway. I am using the SA login for testing (I was using a purposed SQL account before) so I don't think it's a rights issue. Sandisk says it should work, and they suggested I use SQL server express. But we run VMs, and running SQL server in another VM is going to use more of our memory pool. Plus we want centralized backups and all that.
Do my service account logins have anything to do with it? Can someone tell me what these should be set to by default so I can change them back?
Here's a trace I did when I tried to install the software:
-- network protocol: TCP/IP
set quoted_identifier on
set arithabort off
set numeric_roundabort off
set ansi_warnings on
set ansi_padding on
set ansi_nulls on
set concat_null_yields_null on
set cursor_close_on_commit off
set implicit_transactions off
set language us_english
set dateformat mdy
set datefirst 7
set transaction isolation level read committed
set implicit_transactions on
go
drop database [CruzerDb]
go
IF @@TRANCOUNT > 0 ROLLBACK TRAN
go
And here's more info if needed:
Product Version
- 9.00.3042.00
Edition
- Standard Edition
Server Collation
- SQL_Latin1_General_CP1_CI_AS
Is Clustered
- No
Is FullText Installed
- Yes
Is Integrated Security Only
- No
Is AWE Enabled
- No
# Processors (used by instance)
- 2
Im having trouble getting xp_cmdshell to work after we changed the service account for our sql server. It was working perfectly before - so i know that execute permissions have been granted, and that we have a credential set up properly.
I have read that I need to ensure the service account has permissions to 'act as opertaing system' and 'replace a process level token'. I have granted these rights in the local security policy as well.
However, I still get :
A call to 'CreateProcessAsUser' failed with error code: '1314'.
Do I need to restart the service? Or the whole server? Or have I missed something else?
Any help will be much appreciated.
I'm trying to do an unattended install of SQL Express 2005 SP2, and specify that the service runs under the Local Service account. Prior versions of SQL Express worked fine.
With SQL Express 2005 SP2, however, the install fails on XP Pro SP2. It *does* work on Winows 2003 Server.
Here's the command line I'm using:
SQLEXPR.EXE /QB ADDLOCAL=ALL INSTANCENAME=FOO SECURITYMODE=SQL SAPWD=BAR SQLACCOUNT="NT AUTHORITYLOCAL SERVICE"
It fails at the end of the install, saying it can't start the service. If I use "NETWORK SERVICE", it works fine, but that's more privileges than I want the service to have. Is there something else on the command line that I can try to get it to work?
Is this even supported?
-Dave
Hi,
If we were to assign permissions to a backup agent such as Backup Exec to backup the databases on the SQL server, what role would give the least amount but sufficient permissions to perform the backup? I know domain admin would make the agent a local admin and therefore allow it to back up the database but is there a role available to allow backup only?
Please note that I'm referring to a domain account used by Backup Exec to directly backup the databases rather than sql server agent.
Thanks.
We are trying to configure registry settings to allow sql server service to run on a service account in SQL Server 2005. The registry has changed quite a bit from SQL 2000, and we are missing a setting in the software keys that causes sql server service not to start. If we apply permissions to all of HKEY_LOCAL_MACHINE/SOFTWARE, then the service starts, however company security policies do not allow this. Are there any specific keys we should look at, other than the obvious Microsoft/Microsoft SQL Server and Microsoft/MSSQL keys, in which we have already granted permissions to the service account?
Thanks,
Dave
Help, Had configuration error trying to set up reporting services. Uninstalled SQL Server and Reinstalled, but not all files were removed. How many files and directories do I have to remove to get Reporting Services to work?
Thanks!
Terry<Header>
<Product>Microsoft SQL Server Reporting Services Version 9.00.1399.00</Product>
<Locale>en-US</Locale>
<TimeZone>Central Standard Time</TimeZone>
<Path>C:Program FilesMicrosoft SQL ServerMSSQL.3Reporting ServicesLogFilesReportServerService__main_01_31_2008_16_16_12.log</Path>
<SystemName>JPADESKTOP1</SystemName>
<OSName>Microsoft Windows NT 5.1.2600 Service Pack 2</OSName>
<OSVersion>5.1.2600.131072</OSVersion>
</Header>
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing ConnectionType to '0' as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing IsSchedulingService to 'True' as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing IsNotificationService to 'True' as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing IsEventService to 'True' as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing PollingInterval to '10' second(s) as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing WindowsServiceUseFileShareStorage to 'False' as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing MemoryLimit to '60' percent as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing RecycleTime to '720' minute(s) as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing MaximumMemoryLimit to '80' percent as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing MaxAppDomainUnloadTime to '30' minute(s) as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing MaxQueueThreads to '0' thread(s) as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing IsWebServiceEnabled to 'True' as specified in Configuration file.
ReportingServicesService!configmanager!4!1/31/2008-16:16:12:: w WARN: WebServiceAccount is not specified in the config file. Using default: JPADESKTOP1ASPNET
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing MaxActiveReqForOneUser to '20' requests(s) as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing MaxScheduleWait to '5' second(s) as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing DatabaseQueryTimeout to '120' second(s) as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing ProcessRecycleOptions to '0' as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing RunningRequestsScavengerCycle to '60' second(s) as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing RunningRequestsDbCycle to '60' second(s) as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing RunningRequestsAge to '30' second(s) as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing CleanupCycleMinutes to '10' minute(s) as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing DailyCleanupMinuteOfDay to default value of '120' minutes since midnight because it was not specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing WatsonFlags to '1064' as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing WatsonDumpOnExceptions to 'Microsoft.ReportingServices.Diagnostics.Utilities.InternalCatalogException,Microsoft.ReportingServices.Modeling.InternalModelingException' as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing WatsonDumpExcludeIfContainsExceptions to 'System.Data.SqlClient.SqlException,System.Threading.ThreadAbortException' as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing SecureConnectionLevel to '0' as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing DisplayErrorLink to 'True' as specified in Configuration file.
ReportingServicesService!library!4!1/31/2008-16:16:12:: i INFO: Initializing WebServiceUseFileShareStorage to 'False' as specified in Configuration file.
ReportingServicesService!servicecontroller!9!1/31/2008-16:16:13:: Total Physical memory: 1055309824
I am getting the error:
Cannot open database "aspnetdb" requested by the login. The login failed.
When I browse to my ASP.NET 3.5 LINQ web application on the IIS 6.0 server on Server 2003.
I imagine this is because while I granted SQL Server 2005 login and permissions to my database that the application stores its data in, I did NOT grant any rights to the service account the IIS Application Pool uses for its identity to the aspnetdb database on SQL Server which is where all my roles information is stored at.
My question is what are the MINIMUM permissions needed for this database so it can perform its roles related functions?
I'm using Windows Authentications with the SQL Role provider for authorization.
Thank you.
EDIT: I think I only need to open the aspnetdb database and add my login to the aspnet_Roles_FullAccess role. Is that correct?
Hi all,
I do understand that it is highly recomended to have aserprate user (perfered a domain user account) for each of the SQL Server service and SQL Agent service.
What is the reason behind that? (Someone told me to not run the service with an account that has a powerul privilegs! - I don't undrstanmd this point can you explain it please?)
What is the diffrent between: 1- Local System account 2 -Network Service account
Thanks in advanced!
CS4Ever
Hi there,BOL notes that in order for replication agents to run properly, theSQLServerAgent must run as a domain account which has privledges to loginto the other machines involved in replication (under "SecurityConsiderations" and elsewhere). This makes sense; however, I waswondering if there were any repercussions to using duplicate localaccounts to establish replication where a domain was not available.Anotherwords, create a local windows account "johndoe" on both machines(with the same password), grant that account access to SQL Server onboth machines, and then have SQL Server Agent run as "johndoe" on bothmachines. I do not feel this is an ideal solution but I havecircumstances under which I may not have a domain available; mypreliminary tests seem to work.Also, are there any similar considerations regarding the MSSQLSERVERservice, or can I always leave that as local system?Dave
View 1 Replies View RelatedI have an application I developled for a shopping cart function using Wrox ASP.NET book as a guide. I have everything working great on my local system using SQL 2005 Express. When I move the app to an IIS 6.0 Web Server with SQL 2005 Express installed I get the following error.
Line 103: Public Overridable Property Cart() As Wrox.Commerce.ShoppingCartLine 104: GetLine 105: Return CType(Me.GetPropertyValue("Cart"),Wrox.Commerce.ShoppingCart)Line 106: End GetLine 107: Set
It has some comments up top about not being able to establish a connection to the SQL Express Database. I have made the changes to allow TCP/IP and Named-Pipes
The App has to be connecting to the database because it displays grid views during the order process.
The Database is located in the App Data folder
IIS is set to Integrated Authentication and configured as a Web Application.
Can someone please tell me what is wrong.
thanks.....
I have a application which uses the automatic asp.net membership stuff to make it work. (In app_data). It works fine on local host, but when I use it on the web server I get the error message (after clicking the log in button):An error has occurred while establishing a connection to
the server. When connecting to SQL Server 2005, this failure may be
caused by the fact that under the default settings SQL Server does not
allow remote connections. (provider: SQL Network Interfaces, error: 26
- Error Locating Server/Instance Specified) Please help me fix this. Thank you for your help,Sam
Hello,
i've developed a website using VB.NET, and SQL SERVER 2K, in my dev environment works properly (SQL Server and WEB SERVER are in the same machine).
When i put everything in the target machine, where the webserver is but not the sql, i get the following error:
Sql SErver does not exist or access denied
I've tried so many ways to do this, ODBC, ADO.NET, OLEDB.....and everything ends in the same error.
Also if i try to connect with ODBC (from odbc manager) it seems to work (test connection succesfull), but in asp.net nothing works.
I've tried to access the server with:
INSTANCE_NAME
SERVER_NAMEINSTANCE_NAME
IP,PORT
I think (they are checking this), that the auth mode is set to MIXED MODE.
Any idea to save my life?? ;)
Thanks ppl
I have created a linked server (to an AS/400) via MSDASQL. It works fine when I execute queries locally (i.e. from Management Studio running on the SQL 2005 server).
However, when I execute a query from a remote machine I get an error (see below for the exact message).
I know the ODBC connection is between the SQL server and the AS/400, and that the remote client does not have connectivity to the AS/400. But shouldn't the SQL server be able to pass the query through to the linked server even if the query is initiated from a remote machine?
Does anyone have any suggestions on how I can resolve this problem so that queries against the linked server can be executed from remote machines?
Errors:
OLE DB provider "MSDASQL" for linked server "MERCURY" returned message "[Microsoft][ODBC Driver Manager] Driver's SQLSetConnectAttr failed".
OLE DB provider "MSDASQL" for linked server "MERCURY" returned message "[IBM][iSeries Access ODBC Driver]Key value in connection string too long.".
Msg 7303, Level 16, State 1, Line 1
Cannot initialize the data source object of OLE DB provider "MSDASQL" for linked server "MERCURY".
Environment: SQL 2005, Standard Edition SP2
Thanks in advance for any suggestions.
David Rueter
drueter@assyst.com
Hi all,
I've recently installed SQL-Server 2005 on our production server (win server r2, .net framework 2.0, 3.0 etc ..).
In order to improve the security mechanism I'm allowing only windows authentication (not mixed mode).
If each site and the sql-process is given a specific user account, could it have some bad performance issues ?
Security-wise, which is better ?
Few things to point out:
1. The SQL process was assigned with a local user account (i.e : [machine name]SqlServerUser) and not using NT AUTHORITYNETWORK_SERVICE.
2. Every ASP.Net site on the server assigned with a local account (i.e : [machine name]SomeSiteUser) through the IIS's Directory Security tab and not using IUSR_[machine name].
3. Each "Site User" has the appropriate database authorization in sql.
Any given help will be appreciated, thanks.
How would Set permissions Sql Server 2005 so that I can access a asp page created in VWD and Sql Express.
On the production server i have just the one instance of Sql
I have the following connection string in the web config file:
<connectionStrings>
<add name="ConnectionString" connectionString="server=serversNameXPRESS;uid=aspuser;pwd=aspuserPassworkd;database=DATABName" />
</connectionStrings>
The account i setup to access the db in Sql 2005 Proper on the Production serve is Represented by the name in the above example as “aspuser�. I created this user in security, logins. And I gave permissions to this on the Db level “create procedure delete, select, update insert.�
I get a error when i run the page in the browser that says “login failed for aspuser.�
I know virtual directory is configured properly. I can run aspx page in the directory with out a db connection, without and error.
Any help would be greatly appreciated.
I have several DTS jobs that runs well as a job with my nt login account for the SQL agent service startup account, but if I use the System account
they fail with this error.
" Error opening datafile: Access is denied. Error source: Microsoft Data Transformation Services Flat File Rowset Provider"
The data has change access to the System account under the NT security.
Thank you in advanced.
Jorge
SqlServer2k is on the domain serverSqlServer2k is on a laptop tooI want to copy a database from the domain to the laptop over the networkusing the copy database wizard.I have done this before with no problem but this time I get thefollowing error:Your SQL Server Service is running under the local system account. Youneed to change your SQL Server Service account to have the rights tocopy files over the network.I went into the properties of MSSQLSERVER under Services andApplications and see no setting described.Where do manage the SQL Server Service?*** Sent via Developersdex http://www.developersdex.com ***Don't just participate in USENET...get rewarded for it!
View 3 Replies View RelatedWe are debating whether to run the SQL Server service as Local System, a domain user without local admin rights, or a domain user with local admin rights. MSDN recommends local admin rights, but doesn't require them.
I would like to get some idea of how the real world handles this. If you run as a local admin, how do you handle the security implications? And if you run without local admin rights, what gotchas have you run into with extended stored procs, replication, etc?
Thanks,
Jerry Ratner
I have a SQL 2000 (SP3) running on a Windows NT 4.0 (SP6) box used in our test environment. The SQL Server was configured to run under the local system account before I got here. In an effort to standardize things, I tried changing the SQL Service account to run under a designated domain user account purpose built for the job. We use this particular account for all of our new-build servers (which are W2K). This domain account is configured to be a "Power User" on the NT 4.0 Server in question.
Soon after changing things over to run under the new account, all the developers complained that they could no longer connect to the server. I could through QA and EM, but none of the developers could.
The developers are using WebLogic and JDBC drivers for the most part. I wasn't aware that the SQL Server service account affected client connectivity. Was I wrong or is there something else at work here?
Thanks,
hmscott
I have recently installed 2005 Standard and 2005 Reporting Services (on a separate server), today we built a service account for the SQL services in Active Directory. I planned to use SQL Configuration tools to change the account but it fails with the message:
'No mapping between account names and security IDs was done'
I ended up going through and following the manual steps outlined in KB article 283811 - http://support.microsoft.com/default.aspx?scid=kb;en-us;Q283811
But I am baffled and concerned as to why it failed.
Any advice?
Future guru in the making.
Guys,
I have got WINDOWS 2000 Advanced Server and MS SQL SERVER 7.0 running on my live server. Now when we are planning for replication, we have found that SQL server will require to run under a domain account. At the moment there are so many ASP pages running on our server accesses different databases created using SQL server 7.0. Most of them are DSN connections to the database. Now if i create a domain account and restart the server and MS SQL services with the domain account, how is it going to effect the current web pages running on it?
Any help will be greatly appreciated.
Thanks
Hi,I changed the login for MSSQLSERVER service for 6.5 box to "Thisaccount" from "system account" and then again changed back to "systemaccount". Now I cann't connect thru Enterprize Manager to my server.All my services r running and I can connect to my database thru anapplication as before. I cannot re-boot the machine as it is inproduction. Any thoughts?Thanks in advance.Subodh
View 1 Replies View RelatedI read an MSDN article that states the following.
SQL Server Browser listens on a UDP port and accepts unauthenticated requests using SQL Server Resolution Protocol (SSRP). SQL Server Browser should be run in the security context of a low-privileged user to minimize exposure to a malicious attack. By default, SQL Server Browser starts using the Local System account. The logon account can be changed by using the Windows Services program. The minimum user rights for SQL Server Browser are as follows:
* Deny access to this computer from the network.
* Deny logon locally.
* Deny logon as a batch job.
* Deny logon through Terminal Services.
* Log on as a service.
* Read and write the SQL Server registry keys related to network communication (ports and pipes).
In our case the SQL Server Browser service is running under the same Windows account as our other SQL Server services. Do you recommend creating a separate Windows account for the SQL Server Browser service as described above?
Can you help me understand how an attack can occur?
Thanks, Dave
I'm thinking of using SQL Server Agent Service for my PDA app. But, I want to use different accounts for SQL Server and SQL Server Agent Service. How can we do this in SQL Server 2005? Do we do this when installing it? Thanks
View 3 Replies View RelatedHi,
I recently installed an evaluation copy of SQL Server 2005 Enterprise Edition on my local machine and during the installation I used Local System system account for the SQL Server service and set the server to use Mixed Mode authentication.
I am able to connect to this local server Database Engine with my Windows login through SQL Server Management Studio and am able to perform sysadmin tasks. My question is why?
My thinking was that even though my Windows login would provide me a connection to the server, I would still have to manually add this login to the sysadmin server roles but after checking the sysadmin role, my Windows login isn't in there. The Windows login is not found under Security - Logins in SSMS either.
Can someone tell me should details for the login be visible on the server and why it seems to have sysadmin permissions ?
Thanks
Hi, i tried to install MS SQL server 2000 in my XP system but during the setup service account installation, i tried to use a domain user account but it cannot validate my user name and password. I used my windows administrator logon account and password. Please help..thank you.
Thanks : :confused:
I'm trying to connect to a database using a service account that we got created. The ID is an AD account and was added to the db as such. When I try to connect to the database using the account with the password I get [login failed for domainid]. The DBA mentioned that its setup to use windows auth, however, I can't connect with this service account using windows Auth, due to I'm using to connect via code.
How can I connect to the database from my code using this ID?
I have the ID and pwd in my code to connect with, does the ID have to be setup differently in the Database?
Without going to services.msc / configuration manager, is there anyway to know the service account through which SQL server is running?
View 6 Replies View RelatedI noticed when I restore a master database to a server other then the one which created the backup of master, SQL Server contains the following three local security groups that were defined on the source server. The problem is these groups are "local" and do not apply to the server where master was restored.
ServerNameSQLServer2005MSFTEUser$ServerName$InstanceName
ServerNameSQLServer2005MSSQLUser$ServerName$InstanceName
ServerNameSQLServer2005SQLAgentUser$ServerName$InstanceName
For example, if you have a default SQL Server instance named MARKETING_TEST the security folder will contain the following three entries.
MARKETING_TESTSQLServer2005MSFTEUser$MARKETING_TEST$MSSQLSERVER
MARKETING_TESTSQLServer2005MSSQLUser$MARKETING_TEST$MSSQLSERVER
MARKETING_TESTSQLServer2005SQLAgentUser$MARKETING_TEST$MSSQLSERVER
If you then backup the master database on an instance named MARKETING_PROD and restore it to MARKETING_TEST, the security folder on MARKETING _TEST will now contain the following three entries.
MARKETING_PRODSQLServer2005MSFTEUser$MARKETING_PROD$MSSQLSERVER
MARKETING_PRODSQLServer2005MSSQLUser$MARKETING_PROD$MSSQLSERVER
MARKETING_PRODSQLServer2005SQLAgentUser$MARKETING_PROD$MSSQLSERVER
These entries would be invalid because no such server exists and therefor no such local groups exists. There appears to be no Microsoft documentation explaining how to handle these groups when restoring master from one server to another. My assumption is that whenever restoring master to another server you must drop these three groups and add the correct corresponding groups along with the appropriate permissions. I don't understand why SQL Server would not rebuild this information for you during a restore.
Any explanations?
Dave