Solved

sa = NT AUTHORITY\SYSTEM

Posted on 2010-09-10
10
892 Views
Last Modified: 2012-05-10
when you assign sa as the job owner, it turns it into NT AUTHORITY\SYSTEM; why is this and the significance of it?

thanks
0
Comment
Question by:anushahanna
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 1

Accepted Solution

by:
chadcku earned 125 total points
ID: 33649719
I beleive it is the account that the local SQL service is running under. That is the local computer account.
0
 
LVL 20

Assisted Solution

by:alainbryden
alainbryden earned 125 total points
ID: 33649721
SA is the Service Account and requires full permissions. If your SQL Server Service and SQL Agent Service are running on the NT Authority\System account then that will be the Service Account owner.

--
Alain
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33649964
Alain,
>>If your SQL Server Service and SQL Agent Service are running on the NT Authority\System account

what are the other accounts on which SQL Server could be running? how can you find out which one is the current installation using?
0
 
LVL 1

Expert Comment

by:chadcku
ID: 33650009
You can look in your services control panel. In the right most column it will tell you who the user is that the service is running under. You can use any account, we use domain accounts for our SQL server services.
0
 
LVL 20

Expert Comment

by:alainbryden
ID: 33653861
Yeah if you go Run (window+R) Services.msc, you'll pull up your computer's services. You can see the 'Log on As' column as the service owner. You can change this by editing the service entry. Local System, Local Service, Network Service, as well as specific user accounts, are all valid.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Author Comment

by:anushahanna
ID: 33661663
the SQL service account is "Local System Account"

how does this get converted into NT AUTHORITY\SYSTEM?
0
 
LVL 4

Assisted Solution

by:pbarry1
pbarry1 earned 250 total points
ID: 33688049
Hi!

NT AUTHORITY\SYSTEM = "Local System Account".  It's just another way of writing it.  SQL Server, Scheduled Tasks, etc. recognize "NT AUTHORITY\SYSTEM" as being what is called the "Local System Account" in the Windows environment.  

To make a long story short, when you create a job in SQL Agent and you put "sa" as the owner, the ownership is given to "NT AUTHORITY\SYSTEM" if your SQL Server doesn't support the "SQL Server Authentication Mode".   What it means depends on what the job does:  if it runs a "Operating Command (CmdExec)", it will run it with the highest privileges on the server (not a good idea from a security standpoint).  It won't have access to network ressources (shares, network path, etc) unless you grant access to the account "Domain Name\ServerName$" where "Domain name" is your domain and "ServerName" is the name of your server where SQL Agent is running (don't forget the "$" sign at the end).  If you're running a Transact-SQL (T-SQL) command, it will usually run, again, with the highest privileges ("sysadmin").  Again, not a good thing from a security standpoint unless you need to do "sysadmin" stuff.

Hope this helps.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33762835
Thanks for the helpful explanation, Barry.

you said "when you create a job in SQL Agent and you put "sa" as the owner, the ownership is given to "NT AUTHORITY\SYSTEM" if your SQL Server doesn't support the "SQL Server Authentication Mode"."

what if SQL Server Authentication Mode is allowed? how will things change in the above equation you explained?
0
 
LVL 4

Assisted Solution

by:pbarry1
pbarry1 earned 250 total points
ID: 33766580
If SQL Sever Authentication is allowed, putting "sa" as the owner of a SQL Agent job will mean that any Transact-SQL (T-SQL) command will run with "sysadmin" privileges (as if you were connected with the "sa" login and were running the SQL command) and the job will retain the "sa" as the owner.  If it's an operating command (CmdExec), it will run under the privileges of the Windows account used to run the SQL Server service and the job will retain the "sa" as the owner.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33795269
Thanks Barry.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Help with SQL Query 23 39
SQL Date Retrival 7 31
Change part of a string 2 24
SQL Server 2012 Express to Full 5 26
Performance is the key factor for any successful data integration project, knowing the type of transformation that you’re using is the first step on optimizing the SSIS flow performance, by utilizing the correct transformation or the design alternat…
Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now