How to open Failover Cluster Manager (CluAdmin.msc) as a non administrator

Question

Hello,

There are two different teams that manager server operations and databases on multiple SQL servers. The server operations team is a local administrator to the Windows Server 2022 machine, but the database team does not have local administrator access. What is the best solution to give the database administrators access to open and manage SQL clusters in Failover Cluster Manager without giving them full administrative rights?

Answer 1

Hi, I'm Henry! I will help you with this.

The solution is to delegate permissions directly on the Failover Cluster object itself.

Here's how to do it and what the database team will need:

1. Create a Domain Group for Database Administrators:

Create a domain security group (e.g., SQL_Cluster_Admins). Add the relevant database team members to this group.

2. Grant Permissions to the Cluster:

You can do this using either Failover Cluster Manager (CluAdmin.msc) from a machine where you have administrative rights to the cluster, or via PowerShell.

• Using Failover Cluster Manager (GUI):
  1. Open Failover Cluster Manager (as a server operations team member with admin rights).
  2. Connect to the SQL cluster in question.
  3. In the left pane, right-click on the cluster name (the very top node).
  4. Select Properties.
  5. Go to the Cluster Permissions tab.
  6. Click Add... and add the SQL_Cluster_Admins domain group.
  7. With the SQL_Cluster_Admins group selected in the "Group or user names" list, grant them Full Control in the "Permissions for..." list below. "Read" access would allow them to open and view, but "Full Control" is typically needed to manage resources (failover, take offline/online etc.). If you want to be more granular, you can experiment, but "Full Control" on the cluster object is common for teams managing applications on it.
  8. Click OK.
• Using PowerShell (Recommended for scripting/consistency):

Run this on one of the cluster nodes or a management server with Failover Clustering tools installed, as an administrator:

Grant-ClusterAccess -Cluster YOUR_CLUSTER_NAME -User "YOUR_DOMAIN\SQL_Cluster_Admins" -Full

Replace YOUR_CLUSTER_NAME with the actual name of your failover cluster and YOUR_DOMAIN\SQL_Cluster_Admins with your domain and group name.

If you only wanted them to view, you could use -Read instead of -Full.

3. What the Database Team Needs:

• Failover Cluster Manager Tool:

The database administrators will need the Failover Cluster Manager snap-in installed on their own workstations or a management server they have access to. This is part of the Remote Server Administration Tools (RSAT).

• For Windows 10/11 clients: Install "RSAT: Failover Clustering Tools" via Settings > Apps > Optional features > Add a feature.
• For Windows Server (if they are using a management server): Install the "Failover Clustering" feature which includes the management tools.
• Network Connectivity: Their machines must have network connectivity to the cluster nodes (specifically to the cluster IP address/name).

Note: Without local admin rights, the DB Team won't be able to perform OS-level administrative tasks on the nodes like installing patches, modifying general server services, browsing the local file system freely, or RDPing with full admin rights (unless explicitly granted RDP rights as non-admins).

Let me know if any of these solutions work for you.