Hi everybody. Need help with secuity 1. SQLAgent servive = domainMy_local_admin 2. Job created Ownner: domainSQLDBA step1 exec sp_Who2 step2 Run DTS a)Connect to ANOTHER_SQL_SERVER USING windows authentication b) truncate table xxx
3. Run daily every 1 hr
1. Who will run job, domainMy_local_admin or domainSQLDBA ? 2. What account will be used to connect to ANOTHER_SQL_SERVER in step2
I have 2 servers that are members of the same AD Domain.
I need an account that can login to either one, but needs to be able to start a service, which my network admin says a local domain administrator cannot do.
So, I just decided to create an account with the same name, properties and password on both machines.
This I did. The account is a member of local Windows Administrator group on each server. Additionally, it is an SQL account on the SQL Server local instance, and a member of the SysAdmin group.
I can assign this account to SQL Server as the startup account (Log in with this account). That works fine. However, when I assign this account to SQL Server, then SQL Server Agent quits running. So I try to assign this same account to this service and I get an error that the account 'Unknown' cannot login and needs to be a member of the SysAdmin group!??
This is a completely confusing error message since the account is a Windows Admin, SQL Server SysAdmin account and can start SQL Server fine without a hitch.
If we were to assign permissions to a backup agent such as Backup Exec to backup the databases on the SQL server, what role would give the least amount but sufficient permissions to perform the backup? I know domain admin would make the agent a local admin and therefore allow it to back up the database but is there a role available to allow backup only?
Please note that I'm referring to a domain account used by Backup Exec to directly backup the databases rather than sql server agent.
Who needs to invoke the jobs in SQL05? Manually executing the job import_myteam as a user with dbo privileges fails. So, which user account should be assigned to successfully run scheduled jobs (ie, dbo)?
The package file for the job in question is located in the server€™s C:Documents and SettingsuserxyzMy DocumentsVisual Studio 2005ProjectsIntegration Services Project3Integration Services Project3MyTeam (1).dtsx, but this still fails when the user userxyz is logged on and is executing the job directly from the server console.
Step1 of the package executes as userxyz Step 2 fails and runs as cpmc-casql02
The user account userxyz has administrator rights to the server as well as being a sysadmin of the SQL2005 database (named cpcasql02).
The account cpmc-casql02 is a €śpublic€? user of the database and is a member of the administrator group on the server itself.
This same scenario carries for tasks as simple as truncating a table and importing the contents of another table in the same database.
All of these jobs exhibit the same behavior whether run directly from the server console on remotely from a workstation connected to the SQL2005 database.
Attempting to get a really simple job working, we also created a very simple SSIS package which does a select from a database table and writes the output to a text file. When running the same package from the user€™s workstation within Visual Studio, the package executes successfully. Once copied to the server, and run from within SQLServer as MyJunePackage however, the execution fails in the same manner as described above. The first step executes successfully as the logged-in user and the second fails executed under the account cpmc-casql02.
So, again we have the same behavior of sequential steps being run as different users with unsatisfactory results. Please advise as to how to set up these jobs to run correctly and consistently.
what is considered best practice for privileges etc on the sql agent service account and long term need for that account to run ssis packages? I tried to understand and appreciate the article at http://www.microsoft.com/technet/prodtechnol/sql/2005/newsqlagent.mspx but felt like either it was overkill or I wasnt getting it.
I'm thinking of using SQL Server Agent Service for my PDA app. But, I want to use different accounts for SQL Server and SQL Server Agent Service. How can we do this in SQL Server 2005? Do we do this when installing it? Thanks
Am trying to run SQL Server Agent with a service account which is not in the Administrators group. Have done the following - 1. Removed the service account from the Administrators group on the machine 2. Assigned sysadmin privileges to the service account 3. Added it to the SQLServer2005SQLAgentUser$ComputerName$MSSQLSERVER role 4. Through SQL Configuration Manager assigned this account to the SQL Server Agent service However, this does not start the Agent as a service. What is it that is missing?
During install of SQL Server 2005, we can of course use a domain account or the built-in system account for running the services. I lean toward domain for obvious reaons but would like to know a +/- to each option and why I'd choose one over the other and what consequences or limitations one may encounter if I choose one over the other.
Hi all, I do understand that it is highly recomended to have aserprate user (perfered a domain user account) for each of the SQL Server service and SQL Agent service. What is the reason behind that? (Someone told me to not run the service with an account that has a powerul privilegs! - I don't undrstanmd this point can you explain it please?) What is the diffrent between: 1- Local System account 2 -Network Service account
How to change the SQL Server Express or SQL Server Agent service account programatically using C# 2.0 ? actually, I do know all the other methods like using SQL Server Configuration Manager in SQL Server 2005 or Manage My Computer dialoge. But I really need to do this using C# 2.0.
Why I need this? I want to do this as a part of an installation procedure to make the user able to backup his database anywhere with any priveleges. And I dont wanna him to do this manually as he is not an expert at all or even a novice.
I have been running a script in SQL Server 2000 as sa also as a Active Directory user who has administrator rights (I tested both approaches SQL Server then Windows Authentication) in Query Analyser which grants execute rights to the stored procedures within the database instance and Query Analyser does not give any errors when I run the script. I have made sure that each transaction has a go after it. I then return to Enterprise Manager, check the rights (I apply them to roles so that when we create another SQL Server user we just grant him/her rights to the role) and discover that the role has not been granted the rights. I seems to be occurring only with 2 of the procedures. Is there a known bug that might be causing this?
I have several DTS jobs that runs well as a job with my nt login account for the SQL agent service startup account, but if I use the System account they fail with this error. " Error opening datafile: Access is denied. Error source: Microsoft Data Transformation Services Flat File Rowset Provider"
The data has change access to the System account under the NT security.
Basically a dts package has been setup that pulls in data from another companies server, this data requires to be on-demand i.e individual users can pull in updates of the data when they require it.
I am using xp_cmdshell and dtsrun to pull in the data. This obviouly works fine for me as i am a member of sysadmin.
Books online quotes " SQL Server Agent proxy accounts allow SQL Server users who do not belong to the sysadmin fixed server role to execute xp_cmdshell"
So i went to the SQL Server Agent Properties 'Job System' tab and unchecked 'Non-sysadmin job step proxy account' and entered a proxy account.
The proxy account has been setup as a Windows user with local administrator privilages and even a member of the sysadmin server role - just in case.
Now when i log onto the db with my test account - a non-sysadmin - and attempt to run the stored proc to import the data i recieved the message 'EXECUTE permission denied on object 'xp_cmdshell', database 'master', owner 'dbo' '
hmm... so basically i have either misunderstood BoL or there is something not quite right in my setup.
I have search the net for a few days now and yet i can find no solution.
Hi there,BOL notes that in order for replication agents to run properly, theSQLServerAgent must run as a domain account which has privledges to loginto the other machines involved in replication (under "SecurityConsiderations" and elsewhere). This makes sense; however, I waswondering if there were any repercussions to using duplicate localaccounts to establish replication where a domain was not available.Anotherwords, create a local windows account "johndoe" on both machines(with the same password), grant that account access to SQL Server onboth machines, and then have SQL Server Agent run as "johndoe" on bothmachines. I do not feel this is an ideal solution but I havecircumstances under which I may not have a domain available; mypreliminary tests seem to work.Also, are there any similar considerations regarding the MSSQLSERVERservice, or can I always leave that as local system?Dave
I have a situation that I have discovered in our QA database that I need to resolve. When I looked at the Activity Monitor for our server, I discovered that a process is running under a domain user account for one of our .Net applications. The problem is that that domain user account has not been created as a SQL login account on the server. I am trying to figure out how someone can log in to the database server with a domain user account that has not been added to SQL Server as a login account.
Does anyone have any insight on this? I don't like the idea of someone being able to create domain account that can access the database without me granting them specific access.
when I run a package from a command window using dtexec, the job immediately says success. DTExec: The package execution returned DTSER_SUCCESS (0). Started: 3:37:41 PM Finished: 3:37:43 PM Elapsed: 2.719 seconds
However the Job is still in th agent and the status is executing. The implications of this are not good. Is this how the sql server agent job task is supposed to work by design.
I would appreciate any help here at all. I am pulling my hair out!
I am unable to start the snapshot agent or log reader agent from within SQL management studio. it fails on executing step 2 with unknown username or bad password.
I have checked all account details and they are correctly using my domain admin account. I can connect to SQL using teh same account and it also has sysadmin permissions.
If i copy the step 2 paramters and start from the cmd prompt (again logged in using the same domain account) they both start fine.
I am testing peer to peer replication in our environment. I simulated a three node peer to peer topology and a local distributor.
For some wierd reason I cannot get the Log Reader Agent and snapshot agent to start. The domain account under which SQL Server Agent runs has administrator previlage on the box. I also use a domain account for SQL Server Service. (none of the passwords changed).
This is the error I am getting - "Executed as user: abc. A required privilege is not held by the client. The step failed"
We just moved source server to newer, bigger box ... Windows 2003 and Active Directory ... Snapshot agent worked but distribution failed ... Same login as on older machine, login is sysadm, used DCOMCNFG to allow ability to launch process ... What are we missing?
Hello everyone I need some advice regarding security My security officier wants me to disable the sa account on all my SQL Servers. NT Security for the sysadmin role is already setup for all my servers for the group "Domain DBAs"
Could someone give the pros and cons. this Person wants the ability tho activate the sa account at will. (he comes from the AS400 Mind frame)
Second question are there any good books or courses that talk about securing SQL Server 7.0, 2000, etc.
I have taken over a NT 4 and SQL Server 7 system that has a NT account called SA. No one seems to know what it is for. I thought that the SA account was only a SQL login. has anyone seen this? Thanks
Scenario: My client has 4 sql boxes with applications connecting to them via various methods (ado, odbc, etc.). Some of the applications have the SA login and pwd hard coded. Too many users have the SA pwd so they want to change the pwd without affecting the applications. Well, they haven't heard of Source Safe until I got here and the projects for the applications are nowhere to be found. They don't want to hear about rewriting the applications.
Suggestions: I'm wondering if I can create an account with the same priviledges of SA and modify the SA account. I'm not sure what's possible at this point because they have taken away most of my options.
If anyone has any suggestions, I would appreciate it.
This is my first time to install the SQL 2005 on my VPC for testing purpose, I don't recall that I did configure the sa account during the instalation. Is their is any way after the installation to configure the sa account with a password? Please advice
I installed SQL Server 2005 and Visual Studio 2005 and have discovered that the ASPNET machine account was not added as a user when going into "Computer Management". I obviously need this to run ASP.net apps. I tried going to the Administrators group to add user ASPNET, but the system can't find this user. How can I install the ASPNET account?
I need to secure an sqlserver database such that it can only be accessed from an application and to prevent anyone with full admin rights on their local machine and an sqlserver licence from getting in to the database.
I am struggling with controlling access to the database from the sa account. If I attach to the database from a second instance of sqlserver which is different than that where the database was created then I am able to gain full access no problems, which is of course The Problem.
From what I can work out.
1. sa is dbo (and this cannot be changed) 2. dbo has the role of db_owner (and this cannot be changed) 3. the permissions for the db_owner role cannot be changed. 4. the password for sa is set at the level of sqlserver and not per database
.....so any sa can access any database.
I don't believe this so have to be missing something significant, any light on the subject would be gratefully received.
What is the best way of accessing a sql server on a live server? shall I use Integrated windows or use a special user account? If I use a user account, what are the needed priviledges to give it?
I seem to remember that when using VS2003 to create a website which connected to a MSDE database, I needed to explicitly grant access to the database for ASPNET machine account using the following SQL commands from within a .sql script: EXEC sp_grantlogin '<machine>ASPNET'EXEC sp_grantdbaccess '<machine>ASPNET' With VS2005, it sppears that upon creating an .MDF database in the App_Data folder this is no longer necessary. I'd be interested to know why this is so. Does VS2005 automatically do this when the database is created? If anybody could shed some light on this I'd be interested. Thanks,Wayne.
I have a DTS pkg containing VBScript scheduled as a job. The script creates an ADODB connection and opens it passing the servername, username, and password as parameters. We are using NT Authentication, and SQLAgent is using a domain account (SQLService acct).
The job runs fine if I specify a SQL username with SA authority in the ADO connection string. But if I try to use an NT acct it gets a login failure for the i.d. I also noticed that none of the NT login/users show up in the Job Owner drop down list of the job properties window.
My question is should I be able to run the job using just an NT account with SA authority or do I need both NT and SQL i.d.s to run jobs? What am I doing wrong?