Registry Settings For Service Account Permissions

Jan 23, 2007

We are trying to configure registry settings to allow sql server service to run on a service account in SQL Server 2005. The registry has changed quite a bit from SQL 2000, and we are missing a setting in the software keys that causes sql server service not to start. If we apply permissions to all of HKEY_LOCAL_MACHINE/SOFTWARE, then the service starts, however company security policies do not allow this. Are there any specific keys we should look at, other than the obvious Microsoft/Microsoft SQL Server and Microsoft/MSSQL keys, in which we have already granted permissions to the service account?

Thanks,

Dave

View 1 Replies


ADVERTISEMENT

What Permissions Are Required For SQL Server Service Account To Call Web Service Using CLR Integration?

May 18, 2007

Hello! I have the following problem. I developed CLR Stored Procedure "StartNotification" and deploy it on db. This sp calls external web service. Furthermore, this sp is called according with SQL Server Agent Job's schedule. On my PC SQL Server works under Local System account and this web service is called correctly (Executed as user: NT AUTHORITYSYSTEM). But on ther other server the following exception is raised during job running:
Date 17.04.2007 16:42:10
Log Job History (FailureNotificationJob)

Step ID 1
Server MSK-CDBPO-01
Job Name FailureNotificationJob
Step Name MainStep
Duration 00:00:00
Sql Severity 16
Sql Message ID 6522
Operator Emailed
Operator Net sent
Operator Paged
Retries Attempted 0

Message
Executed as user: CORPmssqlserver.
A .NET Framework error occurred during execution
of user defined routine or aggregate 'StartNotification':
System.Security.SecurityException: Request for the permission of type
'System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089' failed. System.Security.SecurityException:
at System.Security.CodeAccessSecurityEngine.Check(Object demand,
StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.Net. The step failed.

What is the reason of this behaviour? Unfortunately I do not have direct access to this server.
I have the following guesses:
1) CORPmssqlserver may have not enough permissions to call web service
2) Something wrong with SQL Server account's permissions
2) Something wrong with SQL Server Agent account's permissions
I will take the will for the deed. Thanks.

View 1 Replies View Related

SQL Service Account Permissions

Oct 2, 2007

I just set up a SQL 2005 Server about a month ago that we will be moving all of our scattered DBs onto. I basically set it up with the default settings and didn't touch anything special, until I tried to install Microsoft System Center Essentials 2007 in our environment. I had problems getting it to use our SQL server, and a forum post told me to change all of the service accounts for SQL to use the LocalSystem login. So here are my service accounts:

SQL Server Integration Services
- NT AUTHORITYNetworkService
SQL Server FullText Search (MSSQLSERVER)
- LocalSystem
SQL Server (MSSQLSERVER)
- LocalSystem
SQL Server Analysis Services (MSSQLSERVER)
- LocalSystem
SQL Server Reporting Services (MSSQLSERVER)
- LocalSystem
SQL Server Browser
- LocalSystem
SQL Server Agent (MSSQLSERVER)
- LocalSystem

So Sandisk makes this software called CMC. It's for controlling their enterprise USB drives. And their software won't install. It errors out saying that it couldn't drop the database on our SQL server (but it doesn't exist). If I make an empty DB by the same name, it sees it, and then errors out anyway. I am using the SA login for testing (I was using a purposed SQL account before) so I don't think it's a rights issue. Sandisk says it should work, and they suggested I use SQL server express. But we run VMs, and running SQL server in another VM is going to use more of our memory pool. Plus we want centralized backups and all that.

Do my service account logins have anything to do with it? Can someone tell me what these should be set to by default so I can change them back?

Here's a trace I did when I tried to install the software:

-- network protocol: TCP/IP
set quoted_identifier on
set arithabort off
set numeric_roundabort off
set ansi_warnings on
set ansi_padding on
set ansi_nulls on
set concat_null_yields_null on
set cursor_close_on_commit off
set implicit_transactions off
set language us_english
set dateformat mdy
set datefirst 7
set transaction isolation level read committed

set implicit_transactions on
go
drop database [CruzerDb]
go
IF @@TRANCOUNT > 0 ROLLBACK TRAN
go

And here's more info if needed:

Product Version
- 9.00.3042.00
Edition
- Standard Edition
Server Collation
- SQL_Latin1_General_CP1_CI_AS
Is Clustered
- No
Is FullText Installed
- Yes
Is Integrated Security Only
- No
Is AWE Enabled
- No
# Processors (used by instance)
- 2

View 2 Replies View Related

Xp_cmdshell - Service Account Permissions

Apr 22, 2008



Im having trouble getting xp_cmdshell to work after we changed the service account for our sql server. It was working perfectly before - so i know that execute permissions have been granted, and that we have a credential set up properly.

I have read that I need to ensure the service account has permissions to 'act as opertaing system' and 'replace a process level token'. I have granted these rights in the local security policy as well.

However, I still get :

A call to 'CreateProcessAsUser' failed with error code: '1314'.

Do I need to restart the service? Or the whole server? Or have I missed something else?

Any help will be much appreciated.

View 1 Replies View Related

SQL Backup Agent Service Account Permissions

Dec 11, 2007



Hi,

If we were to assign permissions to a backup agent such as Backup Exec to backup the databases on the SQL server, what role would give the least amount but sufficient permissions to perform the backup? I know domain admin would make the agent a local admin and therefore allow it to back up the database but is there a role available to allow backup only?

Please note that I'm referring to a domain account used by Backup Exec to directly backup the databases rather than sql server agent.

Thanks.

View 2 Replies View Related

Permissions To A Local Account On Which SQL Server Service Works

Mar 31, 2006

My SQL Server 2005 runs on a local account. Is it neccesary to assign this login in SQL to a System Administrator role?

And is there any difference in SQL Server 2000?



thanks

Przemo

View 1 Replies View Related

SQL Server Admin 2014 :: Does Changing Service Account Update NTFS Permissions

Nov 22, 2014

If you were to do a fresh install it would set permissions on the disk so everything just works.

Now when changing the service account (e.g. to a domain user) use the configuration manager, does it do the same magic (possibly sans if the database data/log files are on another disk)? Or do you need to trawl through the dozens of folders and assign rights manually?

View 1 Replies View Related

VIsta Registry Virtualization And Global Settings

Mar 29, 2007

Hi,



I develop a software that stores few application settings in HKEY_LOCAL_MACHINESOFTWAREMy Companyetc... registry key. I only store things like Database server name etc in there, that are common to all users of the software. In XP I require an administrator to complete the installation so that he is able to store correct settings in the registry. Normal users do not store anything in HKLM, some settings are however stored in HKCU hive.



Now the problem is Vista and it's new registry virtaulization feature. For example my installation program (InstallShield) stores a "InstallSQL=1" value in registry if SQL Server 2005 needs to be installed at first lauch of the program. THen when the software starts for the very first time it installs SQL server and updates registry accordingly. The problem is that at that point the virtualization kicks in, meaning that only the Guy who runs the installation gets an updated registry settings, any other user would still have the InstallSQL=1 settings when they actually should have a InstallSQL=0 settings as the server has already been installed.



So the first question really is, what is the correct procedure for storing global settings like these in Windows Vista ? An INI file would have the same problem as the Program Files folder is also virtualized. Is there a way to set the registry key not to virtaulize itself ? I do not want to manifest the program to run under Admin rights as they are not needed for anything else that storing the few values necessary to access the server and track install state. Any other settings are stored on the database, so this is not the problem.



Any input is greatly apprecieted.



Kind Regards,



Petri

View 1 Replies View Related

Whether To Use Local System Account Or Domain Account For Service Account

Jan 5, 2006

During install of SQL Server 2005, we can of course use a domain account or the built-in system account for running the services.  I lean toward domain for obvious reaons but would like to know a +/- to each option and why I'd choose one over the other and what consequences or limitations one may encounter if I choose one over the other.

View 6 Replies View Related

Moved Aspnetdb To SQL Server - What Permissions Do I Need To Give The ASP IIS Service Account For That? (Getting: Cannot Open Database Aspnetdb Requested By The Login. The Login Failed.)

May 12, 2008

I am getting the error:
Cannot open database "aspnetdb" requested by the login. The login failed.
When I browse to my ASP.NET 3.5 LINQ web application on the IIS 6.0 server on Server 2003.
I imagine this is because while I granted SQL Server 2005 login and permissions to my database that the application stores its data in, I did NOT grant any rights to the service account the IIS Application Pool uses for its identity to the aspnetdb database on SQL Server which is where all my roles information is stored at.
My question is what are the MINIMUM permissions needed for this database so it can perform its roles related functions?
I'm using Windows Authentications with the SQL Role provider for authorization.
 
Thank you.
 
 
EDIT: I think I only need to open the aspnetdb database and add my login to the aspnet_Roles_FullAccess role.  Is that correct?

View 2 Replies View Related

Installing Local Groups -- Registry Permissions Error

Jun 19, 2006

Hi


installing sql express sp1 on SBS Win 2000 box

It's up to database services, and then fails - i've tried this a number of times.


The message box says "The installer has encountered an unexpected error. The code is 2380. Error opening file for write. GetLastError: SoftwareMicrosoftMicrosoft SQL ServerMSSQL.1Setup"

The admin account did not have full admin privileges for this key and subkey- why ?

I was installing under the domain administrator account....

I fixed this, and now the latest error is as follows from the log

QL_ERROR (-1) in OdbcConnection::connect
sqlstate=08001, level=-1, state=-1, native_error=21, msg=[Microsoft][SQL Native Client]Encryption not supported on the client.
sqlstate=08001, level=-1, state=-1, native_error=21, msg=[Microsoft][SQL Native Client]Client unable to establish connection
sqlstate=08001, level=-1, state=-1, native_error=0, msg=[Microsoft][SQL Native Client]An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.

Error Code: 0x80070015 (21)
Windows Error Text: The device is not ready.
Source File Name: libodbc_connection.cpp
Compiler Timestamp: Wed Oct 26 16:37:41 2005
Function Name: OdbcConnection::connect@connect
Source Line Number: 148

Please HELP !!!

thanks




thansk

View 5 Replies View Related

Sql Server 2005 Install On SBS2003 Fails Due To Registry Key Permissions

Mar 10, 2008

I am posting this to hopefully help someone else that encounters the same issue in the future...


Server: SBS 2003 Premium, with exchange and with all service packs/patches applied.
Server-name: NEWSERVER
Server migrated from: OLDSERVER
Important notes:

This server was migrated from another SBS 2003 on different HW following the instructions provided by microsoft.
The oldserver had exchange and sql 2005 installed on it.
The new server has Office Accounting 2005 installed, but I don't think that matters...

I am trying to install SQL 2005 from the SBS2003-R2 DVD onto the new server, and get the following error:

Error:
---

TITLE: Microsoft SQL Server 2005 Setup
------------------------------

SQL Server Setup failed to modify security permissions on registry key SOFTWAREMicrosoftMicrosoft SQL ServerMSSQL.2MSSQLServerSuperSocketNetLib for user Administrator. To proceed, verify that the account and domain running SQL Server Setup exist, that the account running SQL Server Setup has administrator privileges, and that the registry key exists on the destination drive.

For help, click: http://go.microsoft.com/fwlink?LinkID=20476&ProdName=Microsoft+SQL+Server&ProdVer=9.00.1399.06&EvtSrc=setup.rll&EvtID=29508&EvtType=sqlca%5csqlsddlca.cpp%40Do_sqlRegSDDL%40ExceptionInSDDL%40x7344

------------------------------
BUTTONS:

&Abort
&Retry
&Ignore
------------------------------

---

I looked in the registry, and the administrators group has full control over this key.

Digging into the SQLSETUP log file, at the end I see:
---

Configuring ACL:
Object: HKLMSOFTWAREMicrosoftMicrosoft SQL ServerMSSQL.2MSSQLServerSuperSocketNetLib
ACL: (A;CI;KR;;;[SQLServer2005SQLBrowserUser$NEWSERVER])(A;CI;KR;;;NS)
Action: 0x100
Failed ACL:
ReplaceSDDLSid is failed at the error code 1332; Converted SDDL: '(A;CI;KR;;;[SQLServer2005SQLBrowserUser$NEWSERVER])(A;CI;KR;;;NS)'
Error Code: 0x80077344 (29508)
Windows Error Text: Source File Name: sqlcasqlsddlca.cpp
Compiler Timestamp: Tue Sep 13 01:08:29 2005
Function Name: ExceptionInSDDL
Source Line Number: 65


---

Looking into AD Users+Computers, there is not a group present for SQLServer2005SQLBrowserUser$NEWSERVER but there is one for SQLServer2005SQLBrowserUser$OLDSERVER.

It appears that the install did not create the new group that was necessary..

Once I duplicated the OLDSERVER group, renaming it to have NEWSERVER, the installation completed without error.

I hope this saves someone else a few hours of pain.

-Jason
www.protected-pc.com

View 21 Replies View Related

DTS Fails As A Job With Service Startup Account As "System Account"

May 9, 2002

I have several DTS jobs that runs well as a job with my nt login account for the SQL agent service startup account, but if I use the System account
they fail with this error.
" Error opening datafile: Access is denied. Error source: Microsoft Data Transformation Services Flat File Rowset Provider"

The data has change access to the System account under the NT security.

Thank you in advanced.

Jorge

View 2 Replies View Related

SQL Server 2008 :: Unable To Get Correct Service Name Using Registry Query

May 22, 2015

DECLARE @DBEngineLogin VARCHAR(100)
DECLARE @AgentLogin VARCHAR(100)

EXECUTE master.dbo.xp_instance_regread
@rootkey = N'HKEY_LOCAL_MACHINE',
@key = N'SYSTEMCurrentControlSetServicesMSSQLServer',
@value_name = N'ObjectName',
@value = @DBEngineLogin OUTPUT

[Code] ....

Query to get the exact servername ( do not want to use @@servername), either need to use registry to read or using DMV...

View 3 Replies View Related

Mirroring :: AlwaysOn Open Service Remote Registry Failed

Aug 9, 2015

AlwaysOn open service 'remote registry failed' while validate the cluster.

View 4 Replies View Related

SQL 05 Sets Registry Wrong? Volume Shadow Copy Service

Sep 12, 2005

hello,

View 5 Replies View Related

User Account Per SQL Server Service && SQL Agent Service, Why?

Jul 30, 2007

Hi all,
 I do understand that it is highly recomended to have aserprate user (perfered a domain user account) for each of the SQL Server service and SQL Agent service.
What is the reason behind that? (Someone told me to not run the service with an account that has a powerul privilegs! - I don't undrstanmd this point can you explain it please?)
What is the diffrent between: 1- Local System account 2 -Network Service account
 
Thanks in advanced!
CS4Ever

View 4 Replies View Related

Microsoft Clustering Service Failed To Restore Registry Key For Resource SQL Server

Sep 27, 2004

I got this system error log in the event viewer every time I start the SQL Server cluster resource:

The Microsoft Clustering Service failed restore a registry key for resource SQL Server when it was brought online. This error code was 2. Some changes may be lost.

Even though the SQL seems to be working fine now, I won't know if something drastic will happen later. :confused:

Searching the Internet for resolution, I saw this article. The Microsoft Knowledge Base Article - 307469 (http://support.microsoft.com/default.aspx?kbid=307469) requires using the Windows Server 2003 ClusterRecover utility to reset the server cluster check points.

I've not tried it because I don't know if this is the correct solution or if it will work or not.

Can I even solve the error without using the above utility? I also cannot afford to reinstall the clustering or SQL server. :mad:

Thanks in advance. :)

View 1 Replies View Related

Cant Increment The Counter Registry Key For Setup In SQL Server 2005 (missing Registry)

Feb 3, 2007

Hi im trying to install Sql Server 2005 but it says i need to Increment the Counter Registry Key for Setup in SQL Server 2005 before doing so.  Im following the guide at http://msdn2.microsoft.com/en-us/library/ms143215.aspx but in my registry the folder HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflibdoesnt contain any keys"Last Counter"=dword:00000ed4 (5276)"LastHelp"=dword:00000ed5 (5277) or any key for that matter.How can i fix this? 

View 1 Replies View Related

Running SQL Service Under Network Service Account

May 15, 2007

Microsoft recommends that you do not use the Network Service account to run the SQL Server service (see http://msdn2.microsoft.com/en-us/library/ms143504.aspx).



Can anyone tell me what the drawbacks are of doing this?

View 1 Replies View Related

TFSREPORTS Service Account Does Not Have The Necessary User Right Log On As A Service.

Dec 12, 2007

Okay now this is weird, today the Reporting Services was not running and here are the entries in the event log:


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7041
Date: 12/12/2007
Time: 9:47:22
User: N/A
Computer: TFS
Description:
The ReportServer service was unable to log on as DOMAINTFSREPORTS with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.

Service: ReportServer
Domain and account: DOMAINTFSREPORTS

This service account does not have the necessary user right "Log on as a service."

User Action

Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.

If you have already assigned this user right to the service account, and the user right appears to be removed, a Group Policy object associated with this node might be removing the right. Check with your domain administrator to find out if this is happening.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp

I am the administrator of the machines and I can assure you that no domain policy has changed for a couple of weeks. What should I look for?

View 2 Replies View Related

Permissions For Domain User Account

Jun 8, 2007

Hi,
I want to use a domain user account not belonging to local admin or domain admin groups in SQL 2000/2005 Enterprise edition. This is what I've done so far..
On the machine that is the Domain Controller:
- installed SQL 2005 as a domain admin

- created a domain user account using Active Directory Users and Computers. This user is only


"Member of" domain users; not any Administrators group.


- added this user to SQL Server Management Studio->Logins and in Server Roles assigned


sysadmin role.
Question 1: Do I need to give any additional permissions to this user to work with SQL?
Question 2: How can I test this user for basic SQL operations like database creation? Can I use Osql?
Question 3: Can I use this user account to login to my domain controller using remote desktop? I tried adding this user to remote users, but in vain.



Thanks!

View 3 Replies View Related

What Permissions To Give Cluster Account In SQL

Sep 20, 2006

Hey guys. I'll have an active/active cluster and seperate accounts for SQL Services and Cluster service. The question is what rights should the cluster account have in SQL if I've removed the 'builtin admins' from SQL? Thank you



View 1 Replies View Related

Setting Permissions In Sql Server 2005 For Asp User Account

May 15, 2006

How would Set permissions  Sql  Server 2005 so that I can access a  asp page created in VWD and Sql Express.
 
On the production server i have just the one instance of Sql
 
I have the following connection string in the web config file:
 
<connectionStrings>
        <add name="ConnectionString" connectionString="server=serversNameXPRESS;uid=aspuser;pwd=aspuserPassworkd;database=DATABName" />
    </connectionStrings>
 
The account i setup to access the db in Sql 2005 Proper on the Production serve is Represented by the name in the above example as “aspuserâ€?. I created this user in security, logins. And  I gave permissions to this on the Db level “create procedure  delete, select, update insert.â€?
 
I get a error when i run the page in the browser that  says “login failed for aspuser.â€?
 
I know virtual directory is configured properly. I can run aspx page in the directory with out a db connection, without and error.
 
Any help would be greatly appreciated.

View 2 Replies View Related

Does Xp_cmdshell Proxy Account Need Admin-level Permissions?

Oct 4, 2007

Re: SQL Server 2005

Does the xp_cmdshell proxy account need admin-level permissions on the server?

The reason I ask this is because I keep getting "Access is Denied" errors when trying to run this command as a non-admin:

master..xp_cmdshell dtexec 'some package'

The 'some package' has an "execute process task" which calls a batch file on the server.

If the proxy account is NOT a local admin, the "execute process tasks" fails with an "Access is Denied" error.

If the proxy account is a local admin, it executes fine.

We have given "Everyone" FULL CONTROL of all the folders that are affected by the batch file, and it still does not work.

I am out of ideas at this point. It just does not work unless it's an admin.

Are we missing something here?


View 7 Replies View Related

SQL Service Account

Oct 9, 2007

How can I find account that the SQL Server service is using ?
Plz help.

View 1 Replies View Related

Installl Service Account

Jun 12, 2008

hi.. i do not know which to choose when my installation comes to the service account page ..
should i use the local system or write the domain user account ?
i use domain user account .. but what is my domain ?

View 1 Replies View Related

Service Account Password

Jan 22, 2002

Folks,

MSSQLServer and SQL Server Agent services under NT are running under a system account under our domain (setup many moons ago) for which we have lost the passsword. Is there any way we can recover these passwords?


Thanks.

Sam

View 1 Replies View Related

Can&#39;t Set Up Start Up Service Account

Aug 25, 2000

Hi,

I am trying to set properties on a SQL Server7, but when I get to the tab for 'Startup Service account', it is greyed out. Also, the same for properties for SQL Server Agent.

Why can't I change it?

To schedule jobs, and have SQL mail, don't I need to set up a Startup Service Account?

Thanks for your help,
Judith

View 4 Replies View Related

Changing SQL Service Account

Mar 18, 2004

Has anyone ever converted from running SQL Server under the Local System account to running under a Domain User account?

I have often installed SQL using a Domain User account, but I am inheriting a couple of SQL Servers that were set up to run under Local System. I have never had to convert "on the fly" before.

If you have any input or insights, I would be grateful.

Regards,

hmscott

View 6 Replies View Related

SQL Server Service Account

Jul 20, 2005

SqlServer2k is on the domain serverSqlServer2k is on a laptop tooI want to copy a database from the domain to the laptop over the networkusing the copy database wizard.I have done this before with no problem but this time I get thefollowing error:Your SQL Server Service is running under the local system account. Youneed to change your SQL Server Service account to have the rights tocopy files over the network.I went into the properties of MSSQLSERVER under Services andApplications and see no setting described.Where do manage the SQL Server Service?*** Sent via Developersdex http://www.developersdex.com ***Don't just participate in USENET...get rewarded for it!

View 3 Replies View Related

Service Account And CLR Security

Aug 6, 2007


By default does CLR code run under the SQL Service Server account or the SQL Agent Service Account? Does anybody have a link to BOL or MSDN???

My assumption is its under SQL Server Service Account.

I'm trying to satisfy the DBA's security concerns in regards to CLR Code. If the account it runs under (Agent or service) has zero privliges will a dba still be able to maintain the server? Wouldnt all their backups work under a privilaged account that isnt the SQL Server Service Account?


Double posted in security.

View 6 Replies View Related

Creation Of Service Account

Jan 8, 2008

Hi,

I come from an Oracle background, and am having trouble getting to grips with SqlServer

I've installed SqlServer 2005 and created a Database called Midas, which is owned by SA

I've created a login called ServiceAccount. I want this login to have 'select', 'update' and 'insert' permission on specific tables in the Midas database. How do I do this?

View 15 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved