SQL Server and Failover Cluster service account minimum roles best practice?
EnterpriseArchitect
6,301
Reputation points
Can you please explain and help me why the Service account for SQL Server and the Cluster Failover service account Primary group are set to Domain Admins rather than Domain Users?
Is this really required for SQL Server and SQL Servers running on MSCS Failover Cluster?
Please provide some documentation to explain whether this is the required privilege for the service account.
If there is recommended practice to follow for a minimum privilege role for the SQL Server and Failover cluster (MSCS) service account, that'd be greatly appreciated.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | Storage high availability | Clustering and high availability
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
SQL Server | Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 71%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Robbie Varn 351 Reputation points2023-07-26T14:38:24.4933333+00:00 For installing the Cluster on a windows level and for installing Sql Server, the account you use should be a Domain Admin as a one time thing for the installations. You set the account to run Sql Server as part of the installation. When Sql Server is installed, the installation grants all the permissions the Sql Server Service account you specify will need to properly function. I looked for a quick article to post for you but I cannot find one current at the moment.
-
EnterpriseArchitect 6,301 Reputation points
2023-07-26T14:51:49.2133333+00:00 Hi @Robbie Varn ,
Thank you for the response, yeah, I thought so, I am still searching for the documentation as well to make sure that I am able to demote the service account safely as the Cluster and the SQL server is now running in production.
Sign in to comment
Sign in to answer