I have a server ser1 which has the sql server running under the
security context of the local admin.Whn i try to copy the backup files
from this server to a network share it acnnot access the share unless
the sever has all authenticated user write permisssions.On setting the
auditing on we found that ser1$ uis the account which is trying to
write to the share.My question is as follows:- what is the difference
between the domaonname\ser1 and domainname\ser1$ account.I cannot see
this ser1$ account in the domain so I caaanot give it permissions.Is
there a way I could get to this account and give it permissions to
tighter up the security?
Thanks in anticipation.
AjayI'm not a network adminstrator, but I tried the same thing before and it
doesn't work. If you want SQL to have access to network resources it has to
run under a domain account. Then you can grant permissions to that account
on the network share you are trying to access. You will either need to setup
sql server to run under a domain account or have sql server write the backup
locally and schedule a job that can run with domain credentials to copy the
backup to the network share.
Mark
"Ag" <ajaygarg1962@.gmail.com> wrote in message
news:1154617829.443666.306270@.i42g2000cwa.googlegroups.com...
>I have a server ser1 which has the sql server running under the
> security context of the local admin.Whn i try to copy the backup files
> from this server to a network share it acnnot access the share unless
> the sever has all authenticated user write permisssions.On setting the
> auditing on we found that ser1$ uis the account which is trying to
> write to the share.My question is as follows:- what is the difference
> between the domaonname\ser1 and domainname\ser1$ account.I cannot see
> this ser1$ account in the domain so I caaanot give it permissions.Is
> there a way I could get to this account and give it permissions to
> tighter up the security?
> Thanks in anticipation.
>
> Ajay
>|||Mark Miller wrote:
> I'm not a network adminstrator, but I tried the same thing before and it
> doesn't work. If you want SQL to have access to network resources it has to
> run under a domain account. Then you can grant permissions to that account
> on the network share you are trying to access. You will either need to setup
> sql server to run under a domain account or have sql server write the backup
> locally and schedule a job that can run with domain credentials to copy the
> backup to the network share.
> Mark
> "Ag" <ajaygarg1962@.gmail.com> wrote in message
> news:1154617829.443666.306270@.i42g2000cwa.googlegroups.com...
> >I have a server ser1 which has the sql server running under the
> > security context of the local admin.Whn i try to copy the backup files
> > from this server to a network share it acnnot access the share unless
> > the sever has all authenticated user write permisssions.On setting the
> > auditing on we found that ser1$ uis the account which is trying to
> > write to the share.My question is as follows:- what is the difference
> > between the domaonname\ser1 and domainname\ser1$ account.I cannot see
> > this ser1$ account in the domain so I caaanot give it permissions.Is
> > there a way I could get to this account and give it permissions to
> > tighter up the security?
> >
> > Thanks in anticipation.
> >
> >
> > Ajay
Thanks Mark for the response:-
Here is what I notices and I was able to resolve the issue:-
ser1$ is the computername account which is trying to acces a directory
whenever the sql server uses a local admin account.We can resolve this
in three ways:-
1.Give the network share permissions for the the
domainname/computername account in this case domainname/compuetname$ .
2.Change sql servr to use a domain account means chaning the apps to
use the domain acocunt a non starteer in my enviormment as the apps are
owned by the vendors.
3.Use a proxy account for the sql server agent so that even if sql runs
on a local admin account the proxy account would enable the agent to
use a doain account.
Thanks for your response.
Ajay
> >|||Ag wrote:
> Mark Miller wrote:
>> I'm not a network adminstrator, but I tried the same thing before and it
>> doesn't work. If you want SQL to have access to network resources it has to
>> run under a domain account. Then you can grant permissions to that account
>> on the network share you are trying to access. You will either need to setup
>> sql server to run under a domain account or have sql server write the backup
>> locally and schedule a job that can run with domain credentials to copy the
>> backup to the network share.
>> Mark
>> "Ag" <ajaygarg1962@.gmail.com> wrote in message
>> news:1154617829.443666.306270@.i42g2000cwa.googlegroups.com...
>> I have a server ser1 which has the sql server running under the
>> security context of the local admin.Whn i try to copy the backup files
>> from this server to a network share it acnnot access the share unless
>> the sever has all authenticated user write permisssions.On setting the
>> auditing on we found that ser1$ uis the account which is trying to
>> write to the share.My question is as follows:- what is the difference
>> between the domaonname\ser1 and domainname\ser1$ account.I cannot see
>> this ser1$ account in the domain so I caaanot give it permissions.Is
>> there a way I could get to this account and give it permissions to
>> tighter up the security?
>> Thanks in anticipation.
>>
>> Ajay
> Thanks Mark for the response:-
> Here is what I notices and I was able to resolve the issue:-
> ser1$ is the computername account which is trying to acces a directory
> whenever the sql server uses a local admin account.We can resolve this
> in three ways:-
> 1.Give the network share permissions for the the
> domainname/computername account in this case domainname/compuetname$ .
> 2.Change sql servr to use a domain account means chaning the apps to
> use the domain acocunt a non starteer in my enviormment as the apps are
> owned by the vendors.
This is just plain wrong. Changing the account that the SQL Server and
SQL Agent services run under has absolutely nothing to do with the
logins use by applications to connect to SQL databases. If you want to
access network resources from within SQL, this is how you do it. Change
the MSSQLSERVER and SQLSERVERAGENT services to run as a domain user, and
grant share permissions to that domain user.
> 3.Use a proxy account for the sql server agent so that even if sql runs
> on a local admin account the proxy account would enable the agent to
> use a doain account.
> Thanks for your response.
>
> Ajay
>
Tracy McKibben
MCDBA
http://www.realsqlguy.com|||Tracy McKibben wrote:
> Ag wrote:
> > Mark Miller wrote:
> >> I'm not a network adminstrator, but I tried the same thing before and it
> >> doesn't work. If you want SQL to have access to network resources it has to
> >> run under a domain account. Then you can grant permissions to that account
> >> on the network share you are trying to access. You will either need to setup
> >> sql server to run under a domain account or have sql server write the backup
> >> locally and schedule a job that can run with domain credentials to copy the
> >> backup to the network share.
> >>
> >> Mark
> >>
> >> "Ag" <ajaygarg1962@.gmail.com> wrote in message
> >> news:1154617829.443666.306270@.i42g2000cwa.googlegroups.com...
> >> I have a server ser1 which has the sql server running under the
> >> security context of the local admin.Whn i try to copy the backup files
> >> from this server to a network share it acnnot access the share unless
> >> the sever has all authenticated user write permisssions.On setting the
> >> auditing on we found that ser1$ uis the account which is trying to
> >> write to the share.My question is as follows:- what is the difference
> >> between the domaonname\ser1 and domainname\ser1$ account.I cannot see
> >> this ser1$ account in the domain so I caaanot give it permissions.Is
> >> there a way I could get to this account and give it permissions to
> >> tighter up the security?
> >>
> >> Thanks in anticipation.
> >>
> >>
> >> Ajay
> >
> > Thanks Mark for the response:-
> >
> > Here is what I notices and I was able to resolve the issue:-
> >
> > ser1$ is the computername account which is trying to acces a directory
> > whenever the sql server uses a local admin account.We can resolve this
> > in three ways:-
> >
> > 1.Give the network share permissions for the the
> > domainname/computername account in this case domainname/compuetname$ .
> > 2.Change sql servr to use a domain account means chaning the apps to
> > use the domain acocunt a non starteer in my enviormment as the apps are
> > owned by the vendors.
> This is just plain wrong. Changing the account that the SQL Server and
> SQL Agent services run under has absolutely nothing to do with the
> logins use by applications to connect to SQL databases. If you want to
> access network resources from within SQL, this is how you do it. Change
> the MSSQLSERVER and SQLSERVERAGENT services to run as a domain user, and
> grant share permissions to that domain user.
>
> > 3.Use a proxy account for the sql server agent so that even if sql runs
> > on a local admin account the proxy account would enable the agent to
> > use a doain account.
> >
> > Thanks for your response.
> >
> >
> > Ajay
> >
>
> --
> Tracy McKibben
> MCDBA
> http://www.realsqlguy.com
Maybe i did not explain it right:- AT the sql end changing the sql
server to use the domain service accoutn would make the sql server run
on a domain account but the DSn which is configurd to use the local
admin account and use IIS has been configured to use the local admin by
defualt(that is what irt chooses) SO CHANING THE SECURITY CONTEXT OF
THE SQL SERVER SERVICE AND THE SQL AGENT SERICE WOULD MEAN THAT I
CHANGE THE DSN OF ALL THE APPLICATIONS WHICH ARE CONFIGURED TO LOGIN
USING NT ATHENTICATION AND LOCAL ADMIN account on the box.Surprisingly
most apps reside on the same box as the sql server and use the Local
Admin account and are configured to use a dsn /logins odf the local
account on sql server.
This is diiifcult as it entails coordinatig with vendors and so I wold
not wat to go with this option.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment