Solved

sa = NT AUTHORITY\SYSTEM

Posted on 2010-09-10
10
916 Views
Last Modified: 2012-05-10
when you assign sa as the job owner, it turns it into NT AUTHORITY\SYSTEM; why is this and the significance of it?

thanks
0
Comment
Question by:anushahanna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 1

Accepted Solution

by:
chadcku earned 125 total points
ID: 33649719
I beleive it is the account that the local SQL service is running under. That is the local computer account.
0
 
LVL 20

Assisted Solution

by:alainbryden
alainbryden earned 125 total points
ID: 33649721
SA is the Service Account and requires full permissions. If your SQL Server Service and SQL Agent Service are running on the NT Authority\System account then that will be the Service Account owner.

--
Alain
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33649964
Alain,
>>If your SQL Server Service and SQL Agent Service are running on the NT Authority\System account

what are the other accounts on which SQL Server could be running? how can you find out which one is the current installation using?
0
Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

 
LVL 1

Expert Comment

by:chadcku
ID: 33650009
You can look in your services control panel. In the right most column it will tell you who the user is that the service is running under. You can use any account, we use domain accounts for our SQL server services.
0
 
LVL 20

Expert Comment

by:alainbryden
ID: 33653861
Yeah if you go Run (window+R) Services.msc, you'll pull up your computer's services. You can see the 'Log on As' column as the service owner. You can change this by editing the service entry. Local System, Local Service, Network Service, as well as specific user accounts, are all valid.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33661663
the SQL service account is "Local System Account"

how does this get converted into NT AUTHORITY\SYSTEM?
0
 
LVL 4

Assisted Solution

by:pbarry1
pbarry1 earned 250 total points
ID: 33688049
Hi!

NT AUTHORITY\SYSTEM = "Local System Account".  It's just another way of writing it.  SQL Server, Scheduled Tasks, etc. recognize "NT AUTHORITY\SYSTEM" as being what is called the "Local System Account" in the Windows environment.  

To make a long story short, when you create a job in SQL Agent and you put "sa" as the owner, the ownership is given to "NT AUTHORITY\SYSTEM" if your SQL Server doesn't support the "SQL Server Authentication Mode".   What it means depends on what the job does:  if it runs a "Operating Command (CmdExec)", it will run it with the highest privileges on the server (not a good idea from a security standpoint).  It won't have access to network ressources (shares, network path, etc) unless you grant access to the account "Domain Name\ServerName$" where "Domain name" is your domain and "ServerName" is the name of your server where SQL Agent is running (don't forget the "$" sign at the end).  If you're running a Transact-SQL (T-SQL) command, it will usually run, again, with the highest privileges ("sysadmin").  Again, not a good thing from a security standpoint unless you need to do "sysadmin" stuff.

Hope this helps.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33762835
Thanks for the helpful explanation, Barry.

you said "when you create a job in SQL Agent and you put "sa" as the owner, the ownership is given to "NT AUTHORITY\SYSTEM" if your SQL Server doesn't support the "SQL Server Authentication Mode"."

what if SQL Server Authentication Mode is allowed? how will things change in the above equation you explained?
0
 
LVL 4

Assisted Solution

by:pbarry1
pbarry1 earned 250 total points
ID: 33766580
If SQL Sever Authentication is allowed, putting "sa" as the owner of a SQL Agent job will mean that any Transact-SQL (T-SQL) command will run with "sysadmin" privileges (as if you were connected with the "sa" login and were running the SQL command) and the job will retain the "sa" as the owner.  If it's an operating command (CmdExec), it will run under the privileges of the Windows account used to run the SQL Server service and the job will retain the "sa" as the owner.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33795269
Thanks Barry.
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Nowadays, some of developer are too much worried about data. Who is using data, who is updating it etc. etc. Because, data is more costlier in term of money and information. So security of data is focusing concern in days. Lets' understand the Au…
Introduction SQL Server Integration Services can read XML files, that’s known by every BI developer.  (If you didn’t, don’t worry, I’m aiming this article at newcomers as well.) But how far can you go?  When does the XML Source component become …
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question