Hi, I made following steps:
1. Remove the SQL Server 2000 computer (W2k3) from old Windows domain
2. The same computer joined to new Windows domain (newdomain)
3. On the Domain Controler (W2k3) I create an domain account
SQLLaunch, which is a member of Domain Users group.
4. On the SQL Server 2003 computer I changed the SQL Server service
startup account to SQLStart@.newdomain account. The same thing made I
with the SQL Server Agent Service. Both the SQL Server Service and SQL
Server Agent start automatically when OS starts.
after these steps I tried to start the SQL Server service, but the
SQL Server did not start. Error message dialog appears as follows:
"Could not start the MSSQLSERVER service on Local Computer
Error 5: Access denied"
After I login to the SQL Server computer using SQLStart@.newdomain
account and try to start the sqlservr.exe in SQL Server home directory
similar error dialog appears:
"Access denied"
first after I made the SQLStart@.newdomain account a member of
the local Administrator group on ther SQL Server computer, everything
is going well.
What can I do to avoid to grant the Administrator's rights to the
SQLStart@.newdomain (in order to
minimize risk of exploits - it is not the right way to grant the
Administrator's rights). The desire is to use a domain account
without any Administration rights. Can anyone help me?
thanks
LiborI don't think that the account needs full admin rights to the server, but it
needs the "log on as a service" rights. When you set the account that runs
the service, the OS will automatically grant this right. I'd expect though
that you need to be logged on with an account that has the rights to grant
this rights to do it. In other words, try to log on the the server as
Administrator (or another account with admin rights) and then set the
account for SQLSERVER and SQLServerAgent service. Then the account should be
granted rights to log on as a service. Then try to restart the server (or
just the service). Remember to remove the SQL acounts from the servers admin
group before you test it.
Regards
Steen
Libor Forejtnik wrote:
> Hi, I made following steps:
> 1. Remove the SQL Server 2000 computer (W2k3) from old Windows domain
> 2. The same computer joined to new Windows domain (newdomain)
> 3. On the Domain Controler (W2k3) I create an domain account
> SQLLaunch, which is a member of Domain Users group.
> 4. On the SQL Server 2003 computer I changed the SQL Server service
> startup account to SQLStart@.newdomain account. The same thing made I
> with the SQL Server Agent Service. Both the SQL Server Service and SQL
> Server Agent start automatically when OS starts.
> after these steps I tried to start the SQL Server service, but the
> SQL Server did not start. Error message dialog appears as follows:
> "Could not start the MSSQLSERVER service on Local Computer
> Error 5: Access denied"
> After I login to the SQL Server computer using SQLStart@.newdomain
> account and try to start the sqlservr.exe in SQL Server home directory
> similar error dialog appears:
> "Access denied"
> first after I made the SQLStart@.newdomain account a member of
> the local Administrator group on ther SQL Server computer, everything
> is going well.
> What can I do to avoid to grant the Administrator's rights to the
> SQLStart@.newdomain (in order to
> minimize risk of exploits - it is not the right way to grant the
> Administrator's rights). The desire is to use a domain account
> without any Administration rights. Can anyone help me?
> thanks
> Libor|||Thank for this usefull advice. There is another way to solve the
problem too. Simply reinstall the server with the option
"registry rebuild". I guess, it makes the same things as You
recomended. In addition, the startup account must be
registered as a SQL Server login.
Unfortunatelly, starting the SQLServerAgent needs to have the startup
account a member of the SQL Server System Administration group.
But this is not a critical for me.
Libor
On Wed, 9 Mar 2005 10:08:37 +0100, "Steen Persson"
<SPE@.REMOVEdatea.dk> wrote:
>I don't think that the account needs full admin rights to the server, but i
t
>needs the "log on as a service" rights. When you set the account that runs
>the service, the OS will automatically grant this right. I'd expect though
>that you need to be logged on with an account that has the rights to grant
>this rights to do it. In other words, try to log on the the server as
>Administrator (or another account with admin rights) and then set the
>account for SQLSERVER and SQLServerAgent service. Then the account should b
e
>granted rights to log on as a service. Then try to restart the server (or
>just the service). Remember to remove the SQL acounts from the servers admi
n
>group before you test it.
>Regards
>Steen
>Libor Forejtnik wrote:
>
Showing posts with label domain2. Show all posts
Showing posts with label domain2. Show all posts
Thursday, February 9, 2012
Access denied starting SQL Server after joining to new Windows domain
Hi, I made following steps:
1. Remove the SQL Server 2000 computer (W2k3) from old Windows domain
2. The same computer joined to new Windows domain (newdomain)
3. On the Domain Controler (W2k3) I create an domain account
SQLLaunch, which is a member of Domain Users group.
4. On the SQL Server 2003 computer I changed the SQL Server service
startup account to SQLStart@.newdomain account. The same thing made I
with the SQL Server Agent Service. Both the SQL Server Service and SQL
Server Agent start automatically when OS starts.
after these steps I tried to start the SQL Server service, but the
SQL Server did not start. Error message dialog appears as follows:
"Could not start the MSSQLSERVER service on Local Computer
Error 5: Access denied"
After I login to the SQL Server computer using SQLStart@.newdomain
account and try to start the sqlservr.exe in SQL Server home directory
similar error dialog appears:
"Access denied"
first after I made the SQLStart@.newdomain account a member of
the local Administrator group on ther SQL Server computer, everything
is going well.
What can I do to avoid to grant the Administrator's rights to the
SQLStart@.newdomain (in order to
minimize risk of exploits - it is not the right way to grant the
Administrator's rights). The desire is to use a domain account
without any Administration rights. Can anyone help me?
thanks
Libor
I don't think that the account needs full admin rights to the server, but it
needs the "log on as a service" rights. When you set the account that runs
the service, the OS will automatically grant this right. I'd expect though
that you need to be logged on with an account that has the rights to grant
this rights to do it. In other words, try to log on the the server as
Administrator (or another account with admin rights) and then set the
account for SQLSERVER and SQLServerAgent service. Then the account should be
granted rights to log on as a service. Then try to restart the server (or
just the service). Remember to remove the SQL acounts from the servers admin
group before you test it.
Regards
Steen
Libor Forejtnik wrote:
> Hi, I made following steps:
> 1. Remove the SQL Server 2000 computer (W2k3) from old Windows domain
> 2. The same computer joined to new Windows domain (newdomain)
> 3. On the Domain Controler (W2k3) I create an domain account
> SQLLaunch, which is a member of Domain Users group.
> 4. On the SQL Server 2003 computer I changed the SQL Server service
> startup account to SQLStart@.newdomain account. The same thing made I
> with the SQL Server Agent Service. Both the SQL Server Service and SQL
> Server Agent start automatically when OS starts.
> after these steps I tried to start the SQL Server service, but the
> SQL Server did not start. Error message dialog appears as follows:
> "Could not start the MSSQLSERVER service on Local Computer
> Error 5: Access denied"
> After I login to the SQL Server computer using SQLStart@.newdomain
> account and try to start the sqlservr.exe in SQL Server home directory
> similar error dialog appears:
> "Access denied"
> first after I made the SQLStart@.newdomain account a member of
> the local Administrator group on ther SQL Server computer, everything
> is going well.
> What can I do to avoid to grant the Administrator's rights to the
> SQLStart@.newdomain (in order to
> minimize risk of exploits - it is not the right way to grant the
> Administrator's rights). The desire is to use a domain account
> without any Administration rights. Can anyone help me?
> thanks
> Libor
|||Thank for this usefull advice. There is another way to solve the
problem too. Simply reinstall the server with the option
"registry rebuild". I guess, it makes the same things as You
recomended. In addition, the startup account must be
registered as a SQL Server login.
Unfortunatelly, starting the SQLServerAgent needs to have the startup
account a member of the SQL Server System Administration group.
But this is not a critical for me.
Libor
On Wed, 9 Mar 2005 10:08:37 +0100, "Steen Persson"
<SPE@.REMOVEdatea.dk> wrote:
>I don't think that the account needs full admin rights to the server, but it
>needs the "log on as a service" rights. When you set the account that runs
>the service, the OS will automatically grant this right. I'd expect though
>that you need to be logged on with an account that has the rights to grant
>this rights to do it. In other words, try to log on the the server as
>Administrator (or another account with admin rights) and then set the
>account for SQLSERVER and SQLServerAgent service. Then the account should be
>granted rights to log on as a service. Then try to restart the server (or
>just the service). Remember to remove the SQL acounts from the servers admin
>group before you test it.
>Regards
>Steen
>Libor Forejtnik wrote:
>
1. Remove the SQL Server 2000 computer (W2k3) from old Windows domain
2. The same computer joined to new Windows domain (newdomain)
3. On the Domain Controler (W2k3) I create an domain account
SQLLaunch, which is a member of Domain Users group.
4. On the SQL Server 2003 computer I changed the SQL Server service
startup account to SQLStart@.newdomain account. The same thing made I
with the SQL Server Agent Service. Both the SQL Server Service and SQL
Server Agent start automatically when OS starts.
after these steps I tried to start the SQL Server service, but the
SQL Server did not start. Error message dialog appears as follows:
"Could not start the MSSQLSERVER service on Local Computer
Error 5: Access denied"
After I login to the SQL Server computer using SQLStart@.newdomain
account and try to start the sqlservr.exe in SQL Server home directory
similar error dialog appears:
"Access denied"
first after I made the SQLStart@.newdomain account a member of
the local Administrator group on ther SQL Server computer, everything
is going well.
What can I do to avoid to grant the Administrator's rights to the
SQLStart@.newdomain (in order to
minimize risk of exploits - it is not the right way to grant the
Administrator's rights). The desire is to use a domain account
without any Administration rights. Can anyone help me?
thanks
Libor
I don't think that the account needs full admin rights to the server, but it
needs the "log on as a service" rights. When you set the account that runs
the service, the OS will automatically grant this right. I'd expect though
that you need to be logged on with an account that has the rights to grant
this rights to do it. In other words, try to log on the the server as
Administrator (or another account with admin rights) and then set the
account for SQLSERVER and SQLServerAgent service. Then the account should be
granted rights to log on as a service. Then try to restart the server (or
just the service). Remember to remove the SQL acounts from the servers admin
group before you test it.
Regards
Steen
Libor Forejtnik wrote:
> Hi, I made following steps:
> 1. Remove the SQL Server 2000 computer (W2k3) from old Windows domain
> 2. The same computer joined to new Windows domain (newdomain)
> 3. On the Domain Controler (W2k3) I create an domain account
> SQLLaunch, which is a member of Domain Users group.
> 4. On the SQL Server 2003 computer I changed the SQL Server service
> startup account to SQLStart@.newdomain account. The same thing made I
> with the SQL Server Agent Service. Both the SQL Server Service and SQL
> Server Agent start automatically when OS starts.
> after these steps I tried to start the SQL Server service, but the
> SQL Server did not start. Error message dialog appears as follows:
> "Could not start the MSSQLSERVER service on Local Computer
> Error 5: Access denied"
> After I login to the SQL Server computer using SQLStart@.newdomain
> account and try to start the sqlservr.exe in SQL Server home directory
> similar error dialog appears:
> "Access denied"
> first after I made the SQLStart@.newdomain account a member of
> the local Administrator group on ther SQL Server computer, everything
> is going well.
> What can I do to avoid to grant the Administrator's rights to the
> SQLStart@.newdomain (in order to
> minimize risk of exploits - it is not the right way to grant the
> Administrator's rights). The desire is to use a domain account
> without any Administration rights. Can anyone help me?
> thanks
> Libor
|||Thank for this usefull advice. There is another way to solve the
problem too. Simply reinstall the server with the option
"registry rebuild". I guess, it makes the same things as You
recomended. In addition, the startup account must be
registered as a SQL Server login.
Unfortunatelly, starting the SQLServerAgent needs to have the startup
account a member of the SQL Server System Administration group.
But this is not a critical for me.
Libor
On Wed, 9 Mar 2005 10:08:37 +0100, "Steen Persson"
<SPE@.REMOVEdatea.dk> wrote:
>I don't think that the account needs full admin rights to the server, but it
>needs the "log on as a service" rights. When you set the account that runs
>the service, the OS will automatically grant this right. I'd expect though
>that you need to be logged on with an account that has the rights to grant
>this rights to do it. In other words, try to log on the the server as
>Administrator (or another account with admin rights) and then set the
>account for SQLSERVER and SQLServerAgent service. Then the account should be
>granted rights to log on as a service. Then try to restart the server (or
>just the service). Remember to remove the SQL acounts from the servers admin
>group before you test it.
>Regards
>Steen
>Libor Forejtnik wrote:
>
Subscribe to:
Posts (Atom)