• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 563
  • Last Modified:

New nt account to replace builtin admin

If i set up a new domain account to start SQL and remove builtin/admins

The new ntdomain/sqlstartup account in Windows NT
does this need to be part of domain admins.
and the nt authority\network sevice   (anyone know what this is ?)
1 Solution
I know for sure that microsoft does not recommend that you run SQL Server with domain admin or even local admin permissions.

If you do not want the SQL Server or the SQL Server Agent startup account to be a member of the Local Administrators Group , then the startup account for the MSSQLServer service and the SQLServerAgent service (either a local Windows NT account, or a domain Windows NT account) must have these user rights:
• Act as Part of the Operating System = SeTcbPrivilege  
• Bypass Traverse Checking = SeChangeNotify  
• Lock Pages In Memory = SeLockMemory  
• Log on as a Batch Job = SeBatchLogonRight  
• Log on as a Service = SeServiceLogonRight  
• Replace a Process Level Token = SeAssignPrimaryTokenPrivilege  

All that we need to give are the above permissions (of course the full permissions on binaries and the datafiles).
Just a point here -- if SQL is running on cluster and we plan to remove builtin/admin -- do not forget to add cluster service startup account as a login under SQL.. other wise sql would fail to come online.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now