We are trying to configure registry settings to allow sql server service to run on a service account in SQL Server 2005. The registry has changed quite a bit from SQL 2000, and we are missing a setting in the software keys that causes sql server service not to start. If we apply permissions to all of HKEY_LOCAL_MACHINE/SOFTWARE, then the service starts, however company security policies do not allow this. Are there any specific keys we should look at, other than the obvious Microsoft/Microsoft SQL Server and Microsoft/MSSQL keys, in which we have already granted permissions to the service account?
Hello! I have the following problem. I developed CLR Stored Procedure "StartNotification" and deploy it on db. This sp calls external web service. Furthermore, this sp is called according with SQL Server Agent Job's schedule. On my PC SQL Server works under Local System account and this web service is called correctly (Executed as user: NT AUTHORITYSYSTEM). But on ther other server the following exception is raised during job running: Date 17.04.2007 16:42:10 Log Job History (FailureNotificationJob)
Step ID 1 Server MSK-CDBPO-01 Job Name FailureNotificationJob Step Name MainStep Duration 00:00:00 Sql Severity 16 Sql Message ID 6522 Operator Emailed Operator Net sent Operator Paged Retries Attempted 0
Message Executed as user: CORPmssqlserver. A .NET Framework error occurred during execution of user defined routine or aggregate 'StartNotification': System.Security.SecurityException: Request for the permission of type 'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. System.Security.SecurityException: at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) at System.Security.CodeAccessPermission.Demand() at System.Net. The step failed.
What is the reason of this behaviour? Unfortunately I do not have direct access to this server. I have the following guesses: 1) CORPmssqlserver may have not enough permissions to call web service 2) Something wrong with SQL Server account's permissions 2) Something wrong with SQL Server Agent account's permissions I will take the will for the deed. Thanks.
I just set up a SQL 2005 Server about a month ago that we will be moving all of our scattered DBs onto. I basically set it up with the default settings and didn't touch anything special, until I tried to install Microsoft System Center Essentials 2007 in our environment. I had problems getting it to use our SQL server, and a forum post told me to change all of the service accounts for SQL to use the LocalSystem login. So here are my service accounts:
SQL Server Integration Services - NT AUTHORITYNetworkService SQL Server FullText Search (MSSQLSERVER) - LocalSystem SQL Server (MSSQLSERVER) - LocalSystem SQL Server Analysis Services (MSSQLSERVER) - LocalSystem SQL Server Reporting Services (MSSQLSERVER) - LocalSystem SQL Server Browser - LocalSystem SQL Server Agent (MSSQLSERVER) - LocalSystem
So Sandisk makes this software called CMC. It's for controlling their enterprise USB drives. And their software won't install. It errors out saying that it couldn't drop the database on our SQL server (but it doesn't exist). If I make an empty DB by the same name, it sees it, and then errors out anyway. I am using the SA login for testing (I was using a purposed SQL account before) so I don't think it's a rights issue. Sandisk says it should work, and they suggested I use SQL server express. But we run VMs, and running SQL server in another VM is going to use more of our memory pool. Plus we want centralized backups and all that.
Do my service account logins have anything to do with it? Can someone tell me what these should be set to by default so I can change them back?
Here's a trace I did when I tried to install the software:
-- network protocol: TCP/IP set quoted_identifier on set arithabort off set numeric_roundabort off set ansi_warnings on set ansi_padding on set ansi_nulls on set concat_null_yields_null on set cursor_close_on_commit off set implicit_transactions off set language us_english set dateformat mdy set datefirst 7 set transaction isolation level read committed
set implicit_transactions on go drop database [CruzerDb] go IF @@TRANCOUNT > 0 ROLLBACK TRAN go
And here's more info if needed:
Product Version - 9.00.3042.00 Edition - Standard Edition Server Collation - SQL_Latin1_General_CP1_CI_AS Is Clustered - No Is FullText Installed - Yes Is Integrated Security Only - No Is AWE Enabled - No # Processors (used by instance) - 2
Im having trouble getting xp_cmdshell to work after we changed the service account for our sql server. It was working perfectly before - so i know that execute permissions have been granted, and that we have a credential set up properly.
I have read that I need to ensure the service account has permissions to 'act as opertaing system' and 'replace a process level token'. I have granted these rights in the local security policy as well.
However, I still get :
A call to 'CreateProcessAsUser' failed with error code: '1314'.
Do I need to restart the service? Or the whole server? Or have I missed something else?
If we were to assign permissions to a backup agent such as Backup Exec to backup the databases on the SQL server, what role would give the least amount but sufficient permissions to perform the backup? I know domain admin would make the agent a local admin and therefore allow it to back up the database but is there a role available to allow backup only?
Please note that I'm referring to a domain account used by Backup Exec to directly backup the databases rather than sql server agent.
If you were to do a fresh install it would set permissions on the disk so everything just works.
Now when changing the service account (e.g. to a domain user) use the configuration manager, does it do the same magic (possibly sans if the database data/log files are on another disk)? Or do you need to trawl through the dozens of folders and assign rights manually?
I develop a software that stores few application settings in HKEY_LOCAL_MACHINESOFTWAREMy Companyetc... registry key. I only store things like Database server name etc in there, that are common to all users of the software. In XP I require an administrator to complete the installation so that he is able to store correct settings in the registry. Normal users do not store anything in HKLM, some settings are however stored in HKCU hive.
Now the problem is Vista and it's new registry virtaulization feature. For example my installation program (InstallShield) stores a "InstallSQL=1" value in registry if SQL Server 2005 needs to be installed at first lauch of the program. THen when the software starts for the very first time it installs SQL server and updates registry accordingly. The problem is that at that point the virtualization kicks in, meaning that only the Guy who runs the installation gets an updated registry settings, any other user would still have the InstallSQL=1 settings when they actually should have a InstallSQL=0 settings as the server has already been installed.
So the first question really is, what is the correct procedure for storing global settings like these in Windows Vista ? An INI file would have the same problem as the Program Files folder is also virtualized. Is there a way to set the registry key not to virtaulize itself ? I do not want to manifest the program to run under Admin rights as they are not needed for anything else that storing the few values necessary to access the server and track install state. Any other settings are stored on the database, so this is not the problem.
During install of SQL Server 2005, we can of course use a domain account or the built-in system account for running the services. I lean toward domain for obvious reaons but would like to know a +/- to each option and why I'd choose one over the other and what consequences or limitations one may encounter if I choose one over the other.
I am getting the error: Cannot open database "aspnetdb" requested by the login. The login failed. When I browse to my ASP.NET 3.5 LINQ web application on the IIS 6.0 server on Server 2003. I imagine this is because while I granted SQL Server 2005 login and permissions to my database that the application stores its data in, I did NOT grant any rights to the service account the IIS Application Pool uses for its identity to the aspnetdb database on SQL Server which is where all my roles information is stored at. My question is what are the MINIMUM permissions needed for this database so it can perform its roles related functions? I'm using Windows Authentications with the SQL Role provider for authorization.
Thank you.
EDIT: I think I only need to open the aspnetdb database and add my login to the aspnet_Roles_FullAccess role. Is that correct?
It's up to database services, and then fails - i've tried this a number of times.
The message box says "The installer has encountered an unexpected error. The code is 2380. Error opening file for write. GetLastError: SoftwareMicrosoftMicrosoft SQL ServerMSSQL.1Setup"
The admin account did not have full admin privileges for this key and subkey- why ?
I was installing under the domain administrator account....
I fixed this, and now the latest error is as follows from the log
QL_ERROR (-1) in OdbcConnection::connect sqlstate=08001, level=-1, state=-1, native_error=21, msg=[Microsoft][SQL Native Client]Encryption not supported on the client. sqlstate=08001, level=-1, state=-1, native_error=21, msg=[Microsoft][SQL Native Client]Client unable to establish connection sqlstate=08001, level=-1, state=-1, native_error=0, msg=[Microsoft][SQL Native Client]An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.
Error Code: 0x80070015 (21) Windows Error Text: The device is not ready. Source File Name: libodbc_connection.cpp Compiler Timestamp: Wed Oct 26 16:37:41 2005 Function Name: OdbcConnection::connect@connect Source Line Number: 148
I am posting this to hopefully help someone else that encounters the same issue in the future...
Server: SBS 2003 Premium, with exchange and with all service packs/patches applied. Server-name: NEWSERVER Server migrated from: OLDSERVER Important notes:
This server was migrated from another SBS 2003 on different HW following the instructions provided by microsoft. The oldserver had exchange and sql 2005 installed on it. The new server has Office Accounting 2005 installed, but I don't think that matters...
I am trying to install SQL 2005 from the SBS2003-R2 DVD onto the new server, and get the following error:
Error: ---
TITLE: Microsoft SQL Server 2005 Setup ------------------------------
SQL Server Setup failed to modify security permissions on registry key SOFTWAREMicrosoftMicrosoft SQL ServerMSSQL.2MSSQLServerSuperSocketNetLib for user Administrator. To proceed, verify that the account and domain running SQL Server Setup exist, that the account running SQL Server Setup has administrator privileges, and that the registry key exists on the destination drive.
For help, click: http://go.microsoft.com/fwlink?LinkID=20476&ProdName=Microsoft+SQL+Server&ProdVer=9.00.1399.06&EvtSrc=setup.rll&EvtID=29508&EvtType=sqlca%5csqlsddlca.cpp%40Do_sqlRegSDDL%40ExceptionInSDDL%40x7344
I looked in the registry, and the administrators group has full control over this key.
Digging into the SQLSETUP log file, at the end I see: ---
Configuring ACL: Object: HKLMSOFTWAREMicrosoftMicrosoft SQL ServerMSSQL.2MSSQLServerSuperSocketNetLib ACL: (A;CI;KR;;;[SQLServer2005SQLBrowserUser$NEWSERVER])(A;CI;KR;;;NS) Action: 0x100 Failed ACL: ReplaceSDDLSid is failed at the error code 1332; Converted SDDL: '(A;CI;KR;;;[SQLServer2005SQLBrowserUser$NEWSERVER])(A;CI;KR;;;NS)' Error Code: 0x80077344 (29508) Windows Error Text: Source File Name: sqlcasqlsddlca.cpp Compiler Timestamp: Tue Sep 13 01:08:29 2005 Function Name: ExceptionInSDDL Source Line Number: 65
---
Looking into AD Users+Computers, there is not a group present for SQLServer2005SQLBrowserUser$NEWSERVER but there is one for SQLServer2005SQLBrowserUser$OLDSERVER.
It appears that the install did not create the new group that was necessary..
Once I duplicated the OLDSERVER group, renaming it to have NEWSERVER, the installation completed without error.
I hope this saves someone else a few hours of pain.
I have several DTS jobs that runs well as a job with my nt login account for the SQL agent service startup account, but if I use the System account they fail with this error. " Error opening datafile: Access is denied. Error source: Microsoft Data Transformation Services Flat File Rowset Provider"
The data has change access to the System account under the NT security.
Hi all, I do understand that it is highly recomended to have aserprate user (perfered a domain user account) for each of the SQL Server service and SQL Agent service. What is the reason behind that? (Someone told me to not run the service with an account that has a powerul privilegs! - I don't undrstanmd this point can you explain it please?) What is the diffrent between: 1- Local System account 2 -Network Service account
I got this system error log in the event viewer every time I start the SQL Server cluster resource:
The Microsoft Clustering Service failed restore a registry key for resource SQL Server when it was brought online. This error code was 2. Some changes may be lost.
Even though the SQL seems to be working fine now, I won't know if something drastic will happen later. :confused:
Searching the Internet for resolution, I saw this article. The Microsoft Knowledge Base Article - 307469 (http://support.microsoft.com/default.aspx?kbid=307469) requires using the Windows Server 2003 ClusterRecover utility to reset the server cluster check points.
I've not tried it because I don't know if this is the correct solution or if it will work or not.
Can I even solve the error without using the above utility? I also cannot afford to reinstall the clustering or SQL server. :mad:
Hi im trying to install Sql Server 2005 but it says i need to Increment the Counter Registry Key for Setup in SQL Server 2005 before doing so. Im following the guide at http://msdn2.microsoft.com/en-us/library/ms143215.aspx but in my registry the folder HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflibdoesnt contain any keys"Last Counter"=dword:00000ed4 (5276)"LastHelp"=dword:00000ed5 (5277) or any key for that matter.How can i fix this?
Microsoft recommends that you do not use the Network Service account to run the SQL Server service (see http://msdn2.microsoft.com/en-us/library/ms143504.aspx).
Can anyone tell me what the drawbacks are of doing this?
Okay now this is weird, today the Reporting Services was not running and here are the entries in the event log:
Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7041 Date: 12/12/2007 Time: 9:47:22 User: N/A Computer: TFS Description: The ReportServer service was unable to log on as DOMAINTFSREPORTS with the currently configured password due to the following error: Logon failure: the user has not been granted the requested logon type at this computer.
Service: ReportServer Domain and account: DOMAINTFSREPORTS
This service account does not have the necessary user right "Log on as a service."
User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, a Group Policy object associated with this node might be removing the right. Check with your domain administrator to find out if this is happening. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
I am the administrator of the machines and I can assure you that no domain policy has changed for a couple of weeks. What should I look for?
Hi, I want to use a domain user account not belonging to local admin or domain admin groups in SQL 2000/2005 Enterprise edition. This is what I've done so far.. On the machine that is the Domain Controller: - installed SQL 2005 as a domain admin
- created a domain user account using Active Directory Users and Computers. This user is only
"Member of" domain users; not any Administrators group.
- added this user to SQL Server Management Studio->Logins and in Server Roles assigned
sysadmin role. Question 1: Do I need to give any additional permissions to this user to work with SQL? Question 2: How can I test this user for basic SQL operations like database creation? Can I use Osql? Question 3: Can I use this user account to login to my domain controller using remote desktop? I tried adding this user to remote users, but in vain.
Hey guys. I'll have an active/active cluster and seperate accounts for SQL Services and Cluster service. The question is what rights should the cluster account have in SQL if I've removed the 'builtin admins' from SQL? Thank you
The account i setup to access the db in Sql 2005 Proper on the Production serve is Represented by the name in the above example as “aspuser�. I created this user in security, logins. And I gave permissions to this on the Db level “create procedure delete, select, update insert.�
I get a error when i run the page in the browser that says “login failed for aspuser.�
I know virtual directory is configured properly. I can run aspx page in the directory with out a db connection, without and error.
hi.. i do not know which to choose when my installation comes to the service account page .. should i use the local system or write the domain user account ? i use domain user account .. but what is my domain ?
MSSQLServer and SQL Server Agent services under NT are running under a system account under our domain (setup many moons ago) for which we have lost the passsword. Is there any way we can recover these passwords?
I am trying to set properties on a SQL Server7, but when I get to the tab for 'Startup Service account', it is greyed out. Also, the same for properties for SQL Server Agent.
Why can't I change it?
To schedule jobs, and have SQL mail, don't I need to set up a Startup Service Account?
Has anyone ever converted from running SQL Server under the Local System account to running under a Domain User account?
I have often installed SQL using a Domain User account, but I am inheriting a couple of SQL Servers that were set up to run under Local System. I have never had to convert "on the fly" before.
If you have any input or insights, I would be grateful.
SqlServer2k is on the domain serverSqlServer2k is on a laptop tooI want to copy a database from the domain to the laptop over the networkusing the copy database wizard.I have done this before with no problem but this time I get thefollowing error:Your SQL Server Service is running under the local system account. Youneed to change your SQL Server Service account to have the rights tocopy files over the network.I went into the properties of MSSQLSERVER under Services andApplications and see no setting described.Where do manage the SQL Server Service?*** Sent via Developersdex http://www.developersdex.com ***Don't just participate in USENET...get rewarded for it!
By default does CLR code run under the SQL Service Server account or the SQL Agent Service Account? Does anybody have a link to BOL or MSDN???
My assumption is its under SQL Server Service Account.
I'm trying to satisfy the DBA's security concerns in regards to CLR Code. If the account it runs under (Agent or service) has zero privliges will a dba still be able to maintain the server? Wouldnt all their backups work under a privilaged account that isnt the SQL Server Service Account?
I come from an Oracle background, and am having trouble getting to grips with SqlServer
I've installed SqlServer 2005 and created a Database called Midas, which is owned by SA
I've created a login called ServiceAccount. I want this login to have 'select', 'update' and 'insert' permission on specific tables in the Midas database. How do I do this?