Group policy settings for database service accounts

Longstreet, James [USA] 1 Reputation point
2022-07-22T11:19:01.273+00:00

Typically, a Group Policy will limit the permissions below to Administrator or to only specific Active Directory Groups, or possibly only to the Active Directory Administrator Accounts. When SQL Server is installed in a developer environment, this is complicated by the way in which group policy is applied across the board. As these are only a small fraction of overall group policy, why isn't there a generalized security group setting for Active Directory that automatically releases these permissions to a developer machine that has SQL Server loaded?

SQL Server Database Engine:(SeServiceLogonRight)

  • Replace a process-level token (SeAssignPrimaryTokenPrivilege)
  • Bypass traverse checking (SeChangeNotifyPrivilege)
  • Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
  • Permission to start SQL Writer
  • Permission to read the Event Log service
  • Permission to read the Remote Procedure Call service SQL Server Agent: *
  • (SeServiceLogonRight)
  • Replace a process-level token (SeAssignPrimaryTokenPrivilege)
  • Bypass traverse checking (SeChangeNotifyPrivilege)
  • Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

SSIS:

  • Log on as a service (SeServiceLogonRight)
  • Permission to write to application event log.
  • Bypass traverse checking (SeChangeNotifyPrivilege)
  • Impersonate a client after authentication (SeImpersonatePrivilege)

WHITE PAPER LINK:
https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?redirectedfrom=MSDN&view=sql-server-ver16

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,392 questions
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,810 questions
SQL Server Integration Services
SQL Server Integration Services
A Microsoft platform for building enterprise-level data integration and data transformations solutions.
2,578 questions
{count} votes

1 answer

Sort by: Most helpful
  1. YufeiShao-msft 7,116 Reputation points
    2022-07-26T09:05:17.99+00:00

    Hi @Longstreet, James [USA]

    When a new GPO is created, there is no security filtering and it applies to all user and computer accounts where it is linked

    Maybe can apply a GPO to selected computers in an OU

    https://social.technet.microsoft.com/wiki/contents/articles/51876.group-policy-filtering-and-permission.aspx#Apply_GPO_to_Selected_Computers

    -------------

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.