Hi,

I'd like our DBA team to be able to fully manage SQL server but without the
need for Local Admin rights on the operating system. In theory I can grant
sysadmin role on the server, read/write access to the DATA, FTDATA and
BACKUP FileSystem locations etc. They need to be able to backup and restore
so FileSystem access is essential. There are also special Windows groups set
up by SQL 2005 into which you can add users and groups.

One area where I'm stuck, is the ability to start/stop the actual SQL 2005
related Windows Services. I have not tested it yet, but it seems only
Administrators would be allowed to start/stop the services.

Anyone have experience of a setup that does not require Local Admin rights?

--
Gerry Hickman
London (UK)

Practically, I think you are asking for trouble to limit DBAs' privileges on
the box. I know there is this drive to limit access for better security. But
I don't think everything has been thought out carefully (including by the
vendors), and you'll likely run into a scenario where your DBA needs local
admin access in order to troubleshoot or fix a problem.

Well, if somebody has been very successful in limiting the DBA privileges
without impeding thier ability to maintaining the environment and providing
effective support, I'm all ears.

Linchi

"Gerry Hickman" wrote:

> Hi,
>
> I'd like our DBA team to be able to fully manage SQL server but without the
> need for Local Admin rights on the operating system. In theory I can grant
> sysadmin role on the server, read/write access to the DATA, FTDATA and
> BACKUP FileSystem locations etc. They need to be able to backup and restore
> so FileSystem access is essential. There are also special Windows groups set
> up by SQL 2005 into which you can add users and groups.
>
> One area where I'm stuck, is the ability to start/stop the actual SQL 2005
> related Windows Services. I have not tested it yet, but it seems only
> Administrators would be allowed to start/stop the services.
>
> Anyone have experience of a setup that does not require Local Admin rights?
>
> --
> Gerry Hickman
> London (UK)
>
>

Hi Linchi,

Thanks for the comments, I'm still interested to hear of experience of
others in relation to this.

"Linchi Shea" <LinchiShea@discussions.microsoft.com> wrote in message
news:AD0FA82A-29AB-47B8-99DD-CE84933744CB@microsoft.com...
> Practically, I think you are asking for trouble to limit DBAs' privileges
> on
> the box. I know there is this drive to limit access for better security.
> But
> I don't think everything has been thought out carefully (including by the
> vendors), and you'll likely run into a scenario where your DBA needs local
> admin access in order to troubleshoot or fix a problem.
>
> Well, if somebody has been very successful in limiting the DBA privileges
> without impeding thier ability to maintaining the environment and
> providing
> effective support, I'm all ears.
>
> Linchi
>
> "Gerry Hickman" wrote:
>
>> Hi,
>>
>> I'd like our DBA team to be able to fully manage SQL server but without
>> the
>> need for Local Admin rights on the operating system. In theory I can
>> grant
>> sysadmin role on the server, read/write access to the DATA, FTDATA and
>> BACKUP FileSystem locations etc. They need to be able to backup and
>> restore
>> so FileSystem access is essential. There are also special Windows groups
>> set
>> up by SQL 2005 into which you can add users and groups.
>>
>> One area where I'm stuck, is the ability to start/stop the actual SQL
>> 2005
>> related Windows Services. I have not tested it yet, but it seems only
>> Administrators would be allowed to start/stop the services.
>>
>> Anyone have experience of a setup that does not require Local Admin
>> rights?
>>
>> --
>> Gerry Hickman
>> London (UK)
>>
>>