?
Solved

sa = NT AUTHORITY\SYSTEM

Posted on 2010-09-10
10
Medium Priority
?
938 Views
Last Modified: 2012-05-10
when you assign sa as the job owner, it turns it into NT AUTHORITY\SYSTEM; why is this and the significance of it?

thanks
0
Comment
Question by:anushahanna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 1

Accepted Solution

by:
chadcku earned 500 total points
ID: 33649719
I beleive it is the account that the local SQL service is running under. That is the local computer account.
0
 
LVL 20

Assisted Solution

by:alainbryden
alainbryden earned 500 total points
ID: 33649721
SA is the Service Account and requires full permissions. If your SQL Server Service and SQL Agent Service are running on the NT Authority\System account then that will be the Service Account owner.

--
Alain
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33649964
Alain,
>>If your SQL Server Service and SQL Agent Service are running on the NT Authority\System account

what are the other accounts on which SQL Server could be running? how can you find out which one is the current installation using?
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 1

Expert Comment

by:chadcku
ID: 33650009
You can look in your services control panel. In the right most column it will tell you who the user is that the service is running under. You can use any account, we use domain accounts for our SQL server services.
0
 
LVL 20

Expert Comment

by:alainbryden
ID: 33653861
Yeah if you go Run (window+R) Services.msc, you'll pull up your computer's services. You can see the 'Log on As' column as the service owner. You can change this by editing the service entry. Local System, Local Service, Network Service, as well as specific user accounts, are all valid.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33661663
the SQL service account is "Local System Account"

how does this get converted into NT AUTHORITY\SYSTEM?
0
 
LVL 4

Assisted Solution

by:pbarry1
pbarry1 earned 1000 total points
ID: 33688049
Hi!

NT AUTHORITY\SYSTEM = "Local System Account".  It's just another way of writing it.  SQL Server, Scheduled Tasks, etc. recognize "NT AUTHORITY\SYSTEM" as being what is called the "Local System Account" in the Windows environment.  

To make a long story short, when you create a job in SQL Agent and you put "sa" as the owner, the ownership is given to "NT AUTHORITY\SYSTEM" if your SQL Server doesn't support the "SQL Server Authentication Mode".   What it means depends on what the job does:  if it runs a "Operating Command (CmdExec)", it will run it with the highest privileges on the server (not a good idea from a security standpoint).  It won't have access to network ressources (shares, network path, etc) unless you grant access to the account "Domain Name\ServerName$" where "Domain name" is your domain and "ServerName" is the name of your server where SQL Agent is running (don't forget the "$" sign at the end).  If you're running a Transact-SQL (T-SQL) command, it will usually run, again, with the highest privileges ("sysadmin").  Again, not a good thing from a security standpoint unless you need to do "sysadmin" stuff.

Hope this helps.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33762835
Thanks for the helpful explanation, Barry.

you said "when you create a job in SQL Agent and you put "sa" as the owner, the ownership is given to "NT AUTHORITY\SYSTEM" if your SQL Server doesn't support the "SQL Server Authentication Mode"."

what if SQL Server Authentication Mode is allowed? how will things change in the above equation you explained?
0
 
LVL 4

Assisted Solution

by:pbarry1
pbarry1 earned 1000 total points
ID: 33766580
If SQL Sever Authentication is allowed, putting "sa" as the owner of a SQL Agent job will mean that any Transact-SQL (T-SQL) command will run with "sysadmin" privileges (as if you were connected with the "sa" login and were running the SQL command) and the job will retain the "sa" as the owner.  If it's an operating command (CmdExec), it will run under the privileges of the Windows account used to run the SQL Server service and the job will retain the "sa" as the owner.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 33795269
Thanks Barry.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question