MSSQLTips

MSSQLTips.com - your daily source for SQL Server tips

Welcome to MSSQLTips Sign in | Join | Help

Chad Boyd

MSSQLTips - SQL Server Blog

How to determine service-related priviledges for Sql Server service account

I had a customer inquire as to how to verify service-related permissions for the Sql Server service account...i.e., Books Online indicates the Sql Server service account requires permission to start the following related services (amoung many other requirements): Sql Server Active Directory Helper and Sql Writer services. Obviously, the service really wouldn't NEED permissions to do so if you weren't going to make use of said services, but let's assume for the moment that we are going to do so, and that you want to determine first of all if the Sql Server service account has these permissions and/or what permissions the account has to services on the machine in question.

There's a tool called "AccessChk" which will allow you to see this type of information, along with lots of other access-related information for given accounts. You can find information on the tool at the following link:

http://www.microsoft.com/technet/sysinternals/utilities/AccessChk.mspx

As an example, the following command line will give you effective permissions to all services on the local machine for an account named "LTCBOYDMS\sqlService":

accesschk "LTCBOYDMS\sqlService" -vc *

To determine service-related permissions, the -c option must be used. Without it, you get by default ACL information for files/folders/shares and other information (which is handy also). If you specify the wildcard character (the *), you'll get permission related information for the given account against ALL services on the machine...if you're looking for only a specific service information, you can replace the wildcard with the appropriate service name. For example, to get effective permissions to only the SQLWriter service (the service name for the Sql Writer service), you could use the following command:

accesschk "LTCBOYDMS\sqlService" -vc "SQLWriter"

and, for the Active Directory Helper service, something like the following:

accesschk "LTCBOYDMS\sqlService" -vc "MSSQLServerADHelper"

Output from the command should look similar to the following:

C:\Projects\Toolbox\accessCheck>accesschk.exe "DUMMYDOMAIN\svcSqlService" -vc *

AccessChk v2.0 - Check account access of files, registry keys or services
Copyright (C) 2006 Mark Russinovich
Sysinternals - www.sysinternals.com

RW Alerter
SERVICE_ALL_ACCESS

RW ALG
SERVICE_ALL_ACCESS

RW MSSQL$SQL2000
SERVICE_ALL_ACCESS

RW MSSQL$SQL2005
SERVICE_ALL_ACCESS

RW MSSQL$SQL2005B
SERVICE_ALL_ACCESS

RW MSSQL$SQLEXPRESS
SERVICE_ALL_ACCESS

RW MSSQLServerADHelper
SERVICE_ALL_ACCESS

...

R Pml Driver HPZ12
  SERVICE_QUERY_STATUS
  SERVICE_QUERY_CONFIG
  SERVICE_INTERROGATE
  SERVICE_ENUMERATE_DEPENDENTS
  SERVICE_PAUSE_CONTINUE
  SERVICE_START
  SERVICE_STOP
  SERVICE_USER_DEFINED_CONTROL
  READ_CONTROL

...

RW SQLBrowser
SERVICE_ALL_ACCESS

RW SQLWriter
SERVICE_ALL_ACCESS

...

C:\Projects\Toolbox\accessCheck>

In the output, the "RW" designators at the beginning of each line indicate Read/Write privs (if present), then the service name, then using the -v option will provide you the additional output shown below each service above. The SERVICE_ALL_ACCESS implies all access, if you don’t have that, you should see individual service related privs like in the line above for the "Pml Driver HPZ12" service.

Chad Boyd ~~~ This posting is provided "AS IS" with no warranties, and confers no rights. Use of any included script samples are subject to the terms specified at http://www.mssqltips.com/disclaimer.asp and http://www.mssqltips.com/copyright.asp.

Published Oct 15 2007, 11:19 PM by Chad Boyd

Filed under: security, service account, priviledges

Comments

No Comments

About Chad Boyd

Chad is an Architect, Administrator, and Developer with technologies such as Sql Server (and all related technologies), Windows Server, and Windows Clustering. He currently works as an independent consultant and also spends a significant amount of time writing, talking, presenting and blogging about Sql Server in person and online at http://mssqltips.com. In the past, Chad has worked with companies and organizations such as Microsoft Corporation and The American Red Cross, and provided consulting/support services at companies such as Bank of America, HP, Citigroup, Qualcomm, Scottrade, TJX, SunTrust, and Zurich Financial Services. For over 3 years with Microsoft Corporation Chad was responsible for providing onsite and remote support, guidance, and advice with SQL Server products to some of Microsoft’s foremost enterprise customers running the largest, most complex SQL Server installations and configurations in the world. This included all SQL Server products and versions, including SQL Server 7.0, 2000, 2005, and recently 2008, the SQL Server database engine, Reporting Services, SSIS/DTS, Notification Services, and Analysis Services on both 32 and 64 bit systems. Chad's primary responsibilities today include troubleshooting critical server situations, performance tuning and monitoring, disaster recovery planning and execution, architectural guidance for new Sql Server related deployments, and delivering deep technical workshops/presentations/proof-of-concept sessions covering a variety of technologies and functionality. Chad regularly posts Sql Server related content, tools, and advice with the mssqltips team at http://blogs.mssqltips.com/blogs and http://mssqltips.com. Chad can be contacted via his blog or email at chad dot boyd dot tips at gmail dot com.

MSSQLTips

Chad Boyd

How to determine service-related priviledges for Sql Server service account

Comments

About Chad Boyd

This Blog

Syndication

Recent Posts

Tags

Blog Roll

Archives