Windows Server

Dave Morrow · Guest

Hi all. I've run into a rather perplexing problem with respect to giving
access rights to a DBA. I have given the DBA System Administrator rights
within SQLServer 2000 which is running on the server but would prefer to not
give him Administrator rights to the Windows 2000 server itself.
Unfortunately, he needs to be able to stop and start the SQL Server services
(SQLServer and SQLServerAgent). Does anyone know how I can achieve this
without granting full administrator rights to the server?

Steven L Umbach · Guest

I am not an SQL guy :( but you can use utilities such as subinacl or setacl
[free third party] to change permissions on a service. Just be careful
because you want to probably edit the permissions and not replace then with
just that user account. The links below explains more and Group Policy is
another alternative. The mmc snapin for Security Configuration and Analysis
is a good way to see actual service permissions by doing an "analysis"
against some template if you want to verify results. You can do that with
subinacl but the output is rather user unfriendly unless you are used to
it.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;288129
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx

Roger Abell [MVP] · Guest

You can do as Steve has said to give them start/stop etc permissions
on the services of SQL, and also make sure that you have given them
permissions on the storage areas the SQL Server uses as they will
need this for creating new databases.
If you really, really want to make sure they are restricted from having
admin capability on the machine, then you must make sure that SQL
Server is not configured to run as Local System.

S. Pidgorny · Guest

Nor is SQL Agent!

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

	Windows Server Forum Index -> Security	All times are GMT
Page 1 of 1