Sign in with
Sign up | Sign in
Your question

SQL Administration without Local Admin privilege

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
November 4, 2004 12:56:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi all,

I would like to accomplish the following task without giving access to the
SQL Cluster server. I don’t know it is possible or not. Following are the
things DBA would like to perform on a SQL cluster box.

Single User Mode testing
MSSQL Folder Access
Cluster Administration
Restart the SQL Machine
Install Service Packs/hot fix

Is there any way I can assign these permissions through group policy without
giving them full Local Administrator privilege.

Thanks in advance..
Anonymous
a b 8 Security
November 6, 2004 3:55:50 AM

Archived from groups: microsoft.public.win2000.security (More info?)

As I read your post, some objectives can and some
cannot be accomplished. Comments within . . .

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"-Sari" <Sari@discussions.microsoft.com> wrote in message
news:4F981EC8-F19B-4607-9AF3-B71F0AED55D9@microsoft.com...
> Hi all,
>
> I would like to accomplish the following task without giving access to the
> SQL Cluster server. I don't know it is possible or not. Following are
the
> things DBA would like to perform on a SQL cluster box.
>
> Single User Mode testing
You would need to give the accounts full control
over the services of SQL so that they could stop
and start them to bring SQL up in single user mode.

> MSSQL Folder Access
This is only ACLing on the filesystem level

> Cluster Administration
You did not limit this to any specific aspects, so
in general this is, like it says, "Administration"
and will need Administrator access on the involved
machines

> Restart the SQL Machine
same as for running SQL in single user mode if by
the SQL Machine you mean SQL, else server operators
has ability to reboot a machine and there is a user right
governing this ability

> Install Service Packs/hot fix
This requires Adminstrators level access, but
you could leverage service delivery mechanisms
so that they do not need to initiate service application.
>
> Is there any way I can assign these permissions through group policy
without
> giving them full Local Administrator privilege.
>
> Thanks in advance..
>
Anonymous
a b 8 Security
November 9, 2004 1:07:05 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Is it possible to manage JUST windows 2003 cluster without Local
Administrator previleage on the cluster box?

"Roger Abell" wrote:

> As I read your post, some objectives can and some
> cannot be accomplished. Comments within . . .
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "-Sari" <Sari@discussions.microsoft.com> wrote in message
> news:4F981EC8-F19B-4607-9AF3-B71F0AED55D9@microsoft.com...
> > Hi all,
> >
> > I would like to accomplish the following task without giving access to the
> > SQL Cluster server. I don't know it is possible or not. Following are
> the
> > things DBA would like to perform on a SQL cluster box.
> >
> > Single User Mode testing
> You would need to give the accounts full control
> over the services of SQL so that they could stop
> and start them to bring SQL up in single user mode.
>
> > MSSQL Folder Access
> This is only ACLing on the filesystem level
>
> > Cluster Administration
> You did not limit this to any specific aspects, so
> in general this is, like it says, "Administration"
> and will need Administrator access on the involved
> machines
>
> > Restart the SQL Machine
> same as for running SQL in single user mode if by
> the SQL Machine you mean SQL, else server operators
> has ability to reboot a machine and there is a user right
> governing this ability
>
> > Install Service Packs/hot fix
> This requires Adminstrators level access, but
> you could leverage service delivery mechanisms
> so that they do not need to initiate service application.
> >
> > Is there any way I can assign these permissions through group policy
> without
> > giving them full Local Administrator privilege.
> >
> > Thanks in advance..
> >
>
>
>
Anonymous
a b 8 Security
November 14, 2004 12:44:33 PM

Archived from groups: microsoft.public.win2000.security (More info?)

You should ask that in the newsgroup
microsoft.public.windows.server.clustering
being specific about the OS versions and just precisely
what cluster administrative duties you wish delegated.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"-Sari" <Sari@discussions.microsoft.com> wrote in message
news:0DF1EC18-B072-48B2-B8FC-0E7C14287225@microsoft.com...
> Is it possible to manage JUST windows 2003 cluster without Local
> Administrator previleage on the cluster box?
>
> "Roger Abell" wrote:
>
>> As I read your post, some objectives can and some
>> cannot be accomplished. Comments within . . .
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server System: Security)
>> MCSE (W2k3,W2k,Nt4) MCDBA
>> "-Sari" <Sari@discussions.microsoft.com> wrote in message
>> news:4F981EC8-F19B-4607-9AF3-B71F0AED55D9@microsoft.com...
>> > Hi all,
>> >
>> > I would like to accomplish the following task without giving access to
>> > the
>> > SQL Cluster server. I don't know it is possible or not. Following are
>> the
>> > things DBA would like to perform on a SQL cluster box.
>> >
>> > Single User Mode testing
>> You would need to give the accounts full control
>> over the services of SQL so that they could stop
>> and start them to bring SQL up in single user mode.
>>
>> > MSSQL Folder Access
>> This is only ACLing on the filesystem level
>>
>> > Cluster Administration
>> You did not limit this to any specific aspects, so
>> in general this is, like it says, "Administration"
>> and will need Administrator access on the involved
>> machines
>>
>> > Restart the SQL Machine
>> same as for running SQL in single user mode if by
>> the SQL Machine you mean SQL, else server operators
>> has ability to reboot a machine and there is a user right
>> governing this ability
>>
>> > Install Service Packs/hot fix
>> This requires Adminstrators level access, but
>> you could leverage service delivery mechanisms
>> so that they do not need to initiate service application.
>> >
>> > Is there any way I can assign these permissions through group policy
>> without
>> > giving them full Local Administrator privilege.
>> >
>> > Thanks in advance..
>> >
>>
>>
>>
!