Hi, I made following steps:
1. Remove the SQL Server 2000 computer (W2k3) from old Windows domain
2. The same computer joined to new Windows domain (newdomain)
3. On the Domain Controler (W2k3) I create an domain account
SQLLaunch, which is a member of Domain Users group.
4. On the SQL Server 2003 computer I changed the SQL Server service
startup account to SQLStart@.newdomain account. The same thing made I
with the SQL Server Agent Service. Both the SQL Server Service and SQL
Server Agent start automatically when OS starts.
after these steps I tried to start the SQL Server service, but the
SQL Server did not start. Error message dialog appears as follows:
"Could not start the MSSQLSERVER service on Local Computer
Error 5: Access denied"
After I login to the SQL Server computer using SQLStart@.newdomain
account and try to start the sqlservr.exe in SQL Server home directory
similar error dialog appears:
"Access denied"
first after I made the SQLStart@.newdomain account a member of
the local Administrator group on ther SQL Server computer, everything
is going well.
What can I do to avoid to grant the Administrator's rights to the
SQLStart@.newdomain (in order to
minimize risk of exploits - it is not the right way to grant the
Administrator's rights). The desire is to use a domain account
without any Administration rights. Can anyone help me?
thanks
LiborHello Libor,
From your very detailed discription I believe your error is nothing to with
SQL Server, and everything to do with permission on the Server. The reason I
believe this is that firstly the errors your getting 'Access Denied' is not a
SQL Server error, but a Server 2003 error, secondly by putting into your
local administration group you can do it.
This is what I would do to check this out.
NB you will need down time for this...
1. Take the domain id out of the Local Administrators
2. By hand try to access the directories you Server Server lives in,
followed by the Log and data files.
If you get an Access Denied message then you will need to modify the access
rights of the directory to include your new domain account.
Peter
"Cauliflower is nothing but cabbage with a college education."
Mark Twain
"Libor Forejtnik" wrote:
> Hi, I made following steps:
> 1. Remove the SQL Server 2000 computer (W2k3) from old Windows domain
> 2. The same computer joined to new Windows domain (newdomain)
> 3. On the Domain Controler (W2k3) I create an domain account
> SQLLaunch, which is a member of Domain Users group.
> 4. On the SQL Server 2003 computer I changed the SQL Server service
> startup account to SQLStart@.newdomain account. The same thing made I
> with the SQL Server Agent Service. Both the SQL Server Service and SQL
> Server Agent start automatically when OS starts.
> after these steps I tried to start the SQL Server service, but the
> SQL Server did not start. Error message dialog appears as follows:
> "Could not start the MSSQLSERVER service on Local Computer
> Error 5: Access denied"
> After I login to the SQL Server computer using SQLStart@.newdomain
> account and try to start the sqlservr.exe in SQL Server home directory
> similar error dialog appears:
> "Access denied"
> first after I made the SQLStart@.newdomain account a member of
> the local Administrator group on ther SQL Server computer, everything
> is going well.
> What can I do to avoid to grant the Administrator's rights to the
> SQLStart@.newdomain (in order to
> minimize risk of exploits - it is not the right way to grant the
> Administrator's rights). The desire is to use a domain account
> without any Administration rights. Can anyone help me?
> thanks
> Libor
>|||I don't think that the account needs full admin rights to the server, but it
needs the "log on as a service" rights. When you set the account that runs
the service, the OS will automatically grant this right. I'd expect though
that you need to be logged on with an account that has the rights to grant
this rights to do it. In other words, try to log on the the server as
Administrator (or another account with admin rights) and then set the
account for SQLSERVER and SQLServerAgent service. Then the account should be
granted rights to log on as a service. Then try to restart the server (or
just the service). Remember to remove the SQL acounts from the servers admin
group before you test it.
Regards
Steen
Libor Forejtnik wrote:
> Hi, I made following steps:
> 1. Remove the SQL Server 2000 computer (W2k3) from old Windows domain
> 2. The same computer joined to new Windows domain (newdomain)
> 3. On the Domain Controler (W2k3) I create an domain account
> SQLLaunch, which is a member of Domain Users group.
> 4. On the SQL Server 2003 computer I changed the SQL Server service
> startup account to SQLStart@.newdomain account. The same thing made I
> with the SQL Server Agent Service. Both the SQL Server Service and SQL
> Server Agent start automatically when OS starts.
> after these steps I tried to start the SQL Server service, but the
> SQL Server did not start. Error message dialog appears as follows:
> "Could not start the MSSQLSERVER service on Local Computer
> Error 5: Access denied"
> After I login to the SQL Server computer using SQLStart@.newdomain
> account and try to start the sqlservr.exe in SQL Server home directory
> similar error dialog appears:
> "Access denied"
> first after I made the SQLStart@.newdomain account a member of
> the local Administrator group on ther SQL Server computer, everything
> is going well.
> What can I do to avoid to grant the Administrator's rights to the
> SQLStart@.newdomain (in order to
> minimize risk of exploits - it is not the right way to grant the
> Administrator's rights). The desire is to use a domain account
> without any Administration rights. Can anyone help me?
> thanks
> Libor|||Thank for this usefull advice. There is another way to solve the
problem too. Simply reinstall the server with the option
"registry rebuild". I guess, it makes the same things as You
recomended. In addition, the startup account must be
registered as a SQL Server login.
Unfortunatelly, starting the SQLServerAgent needs to have the startup
account a member of the SQL Server System Administration group.
But this is not a critical for me.
Libor
On Wed, 9 Mar 2005 10:08:37 +0100, "Steen Persson"
<SPE@.REMOVEdatea.dk> wrote:
>I don't think that the account needs full admin rights to the server, but it
>needs the "log on as a service" rights. When you set the account that runs
>the service, the OS will automatically grant this right. I'd expect though
>that you need to be logged on with an account that has the rights to grant
>this rights to do it. In other words, try to log on the the server as
>Administrator (or another account with admin rights) and then set the
>account for SQLSERVER and SQLServerAgent service. Then the account should be
>granted rights to log on as a service. Then try to restart the server (or
>just the service). Remember to remove the SQL acounts from the servers admin
>group before you test it.
>Regards
>Steen
>Libor Forejtnik wrote:
>> Hi, I made following steps:
>> 1. Remove the SQL Server 2000 computer (W2k3) from old Windows domain
>> 2. The same computer joined to new Windows domain (newdomain)
>> 3. On the Domain Controler (W2k3) I create an domain account
>> SQLLaunch, which is a member of Domain Users group.
>> 4. On the SQL Server 2003 computer I changed the SQL Server service
>> startup account to SQLStart@.newdomain account. The same thing made I
>> with the SQL Server Agent Service. Both the SQL Server Service and SQL
>> Server Agent start automatically when OS starts.
>> after these steps I tried to start the SQL Server service, but the
>> SQL Server did not start. Error message dialog appears as follows:
>> "Could not start the MSSQLSERVER service on Local Computer
>> Error 5: Access denied"
>> After I login to the SQL Server computer using SQLStart@.newdomain
>> account and try to start the sqlservr.exe in SQL Server home directory
>> similar error dialog appears:
>> "Access denied"
>> first after I made the SQLStart@.newdomain account a member of
>> the local Administrator group on ther SQL Server computer, everything
>> is going well.
>> What can I do to avoid to grant the Administrator's rights to the
>> SQLStart@.newdomain (in order to
>> minimize risk of exploits - it is not the right way to grant the
>> Administrator's rights). The desire is to use a domain account
>> without any Administration rights. Can anyone help me?
>> thanks
>> Libor
>|||Thanks for the advice. I solved the problem by reinstalling the SQL
Server using the "Registry rebuild" option.
Libor
On Tue, 8 Mar 2005 08:41:05 -0800, Peter 'Not Peter The Spate' Nolan
<PeterNotPeterTheSpateNolan@.discussions.microsoft.com> wrote:
>Hello Libor,
>From your very detailed discription I believe your error is nothing to with
>SQL Server, and everything to do with permission on the Server. The reason I
>believe this is that firstly the errors your getting 'Access Denied' is not a
>SQL Server error, but a Server 2003 error, secondly by putting into your
>local administration group you can do it.
>This is what I would do to check this out.
>NB you will need down time for this...
>1. Take the domain id out of the Local Administrators
>2. By hand try to access the directories you Server Server lives in,
>followed by the Log and data files.
>If you get an Access Denied message then you will need to modify the access
>rights of the directory to include your new domain account.
>Peter
>"Cauliflower is nothing but cabbage with a college education."
>Mark Twain
>"Libor Forejtnik" wrote:
>> Hi, I made following steps:
>> 1. Remove the SQL Server 2000 computer (W2k3) from old Windows domain
>> 2. The same computer joined to new Windows domain (newdomain)
>> 3. On the Domain Controler (W2k3) I create an domain account
>> SQLLaunch, which is a member of Domain Users group.
>> 4. On the SQL Server 2003 computer I changed the SQL Server service
>> startup account to SQLStart@.newdomain account. The same thing made I
>> with the SQL Server Agent Service. Both the SQL Server Service and SQL
>> Server Agent start automatically when OS starts.
>> after these steps I tried to start the SQL Server service, but the
>> SQL Server did not start. Error message dialog appears as follows:
>> "Could not start the MSSQLSERVER service on Local Computer
>> Error 5: Access denied"
>> After I login to the SQL Server computer using SQLStart@.newdomain
>> account and try to start the sqlservr.exe in SQL Server home directory
>> similar error dialog appears:
>> "Access denied"
>> first after I made the SQLStart@.newdomain account a member of
>> the local Administrator group on ther SQL Server computer, everything
>> is going well.
>> What can I do to avoid to grant the Administrator's rights to the
>> SQLStart@.newdomain (in order to
>> minimize risk of exploits - it is not the right way to grant the
>> Administrator's rights). The desire is to use a domain account
>> without any Administration rights. Can anyone help me?
>> thanks
>> Libor
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment