Solved

sa = NT AUTHORITY\SYSTEM

Posted on 2010-09-10
10
929 Views
Last Modified: 2012-05-10
when you assign sa as the job owner, it turns it into NT AUTHORITY\SYSTEM; why is this and the significance of it?

thanks
0
Comment
Question by:anushahanna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 1

Accepted Solution

by:
chadcku earned 125 total points
ID: 33649719
I beleive it is the account that the local SQL service is running under. That is the local computer account.
0
 
LVL 20

Assisted Solution

by:alainbryden
alainbryden earned 125 total points
ID: 33649721
SA is the Service Account and requires full permissions. If your SQL Server Service and SQL Agent Service are running on the NT Authority\System account then that will be the Service Account owner.

--
Alain
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33649964
Alain,
>>If your SQL Server Service and SQL Agent Service are running on the NT Authority\System account

what are the other accounts on which SQL Server could be running? how can you find out which one is the current installation using?
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 1

Expert Comment

by:chadcku
ID: 33650009
You can look in your services control panel. In the right most column it will tell you who the user is that the service is running under. You can use any account, we use domain accounts for our SQL server services.
0
 
LVL 20

Expert Comment

by:alainbryden
ID: 33653861
Yeah if you go Run (window+R) Services.msc, you'll pull up your computer's services. You can see the 'Log on As' column as the service owner. You can change this by editing the service entry. Local System, Local Service, Network Service, as well as specific user accounts, are all valid.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33661663
the SQL service account is "Local System Account"

how does this get converted into NT AUTHORITY\SYSTEM?
0
 
LVL 4

Assisted Solution

by:pbarry1
pbarry1 earned 250 total points
ID: 33688049
Hi!

NT AUTHORITY\SYSTEM = "Local System Account".  It's just another way of writing it.  SQL Server, Scheduled Tasks, etc. recognize "NT AUTHORITY\SYSTEM" as being what is called the "Local System Account" in the Windows environment.  

To make a long story short, when you create a job in SQL Agent and you put "sa" as the owner, the ownership is given to "NT AUTHORITY\SYSTEM" if your SQL Server doesn't support the "SQL Server Authentication Mode".   What it means depends on what the job does:  if it runs a "Operating Command (CmdExec)", it will run it with the highest privileges on the server (not a good idea from a security standpoint).  It won't have access to network ressources (shares, network path, etc) unless you grant access to the account "Domain Name\ServerName$" where "Domain name" is your domain and "ServerName" is the name of your server where SQL Agent is running (don't forget the "$" sign at the end).  If you're running a Transact-SQL (T-SQL) command, it will usually run, again, with the highest privileges ("sysadmin").  Again, not a good thing from a security standpoint unless you need to do "sysadmin" stuff.

Hope this helps.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33762835
Thanks for the helpful explanation, Barry.

you said "when you create a job in SQL Agent and you put "sa" as the owner, the ownership is given to "NT AUTHORITY\SYSTEM" if your SQL Server doesn't support the "SQL Server Authentication Mode"."

what if SQL Server Authentication Mode is allowed? how will things change in the above equation you explained?
0
 
LVL 4

Assisted Solution

by:pbarry1
pbarry1 earned 250 total points
ID: 33766580
If SQL Sever Authentication is allowed, putting "sa" as the owner of a SQL Agent job will mean that any Transact-SQL (T-SQL) command will run with "sysadmin" privileges (as if you were connected with the "sa" login and were running the SQL command) and the job will retain the "sa" as the owner.  If it's an operating command (CmdExec), it will run under the privileges of the Windows account used to run the SQL Server service and the job will retain the "sa" as the owner.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33795269
Thanks Barry.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction SQL Server Integration Services can read XML files, that’s known by every BI developer.  (If you didn’t, don’t worry, I’m aiming this article at newcomers as well.) But how far can you go?  When does the XML Source component become …
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question