Hi All,
I'm installing MSDE 2000 with a custom application (launched using
setup.exe, not integrating merge modules) and am having a problem with the
service permissions for SQL services. The custom app installer is being
build with Installshield Pro 6.3.
Everything works fine for admin users, but MSDE won't start for non-admin
users. The MSSQL$Instance service won't start unless it's logging on a Local
System.
I need non-admin users to have access to the database.
Is there any way to setup MSDE on install to work for everyone?
What does one need to do to manually configure it after install to work for
everyone?
Thanks,
leon.
hi Leon,
"LM" <leonm@.vtn-tech.com> ha scritto nel messaggio
news:Oe0QyXhhEHA.904@.TK2MSFTNGP09.phx.gbl...
> Hi All,
> I'm installing MSDE 2000 with a custom application (launched using
> setup.exe, not integrating merge modules) and am having a problem with the
> service permissions for SQL services. The custom app installer is being
> build with Installshield Pro 6.3.
> Everything works fine for admin users, but MSDE won't start for non-admin
> users. The MSSQL$Instance service won't start unless it's logging on a
Local
> System.
> I need non-admin users to have access to the database.
> Is there any way to setup MSDE on install to work for everyone?
> What does one need to do to manually configure it after install to work
for
> everyone?
usually MSDE is installed setting the relative services account to
LocalSystem, that provide (far) enought privileges (on the local machine)
for all logged users...
have a look at
http://msdn.microsoft.com/library/de...l/THCMCh18.asp
for more restrictions..
Andrea Montanari (Microsoft MVP - SQL Server)
http://www.asql.biz/DbaMgr.shtmhttp://italy.mvps.org
DbaMgr2k ver 0.8.0 - DbaMgr ver 0.54.0
(my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual
interface)
-- remove DMO to reply
|||Hi Andrea,
By default the services use Local System option for log on. This worked fine
for all admin users but did not work for a non-admin user. When a non-admin
user logs in (local or domain user), the services won't start using Local
System. (side note: this is on a WinXP Pro machine). The non-admin user
cannot start or stop any service.
We did get it to work for the non-admin user by using the local
administrator account for log on (I goofed when trying it the first time by
using domain admin password instead of local admin password). This is not
the way we want to go, but it's the only way it does work right now.
I did find one thing via your link, in the Installation Recommendations:
"Create a least privileged local account with which to run the SQL Server
service. Use this account when you are prompted for service settings during
setup. Do not use the local system account or an administrator account. "
There is no prompt when installing MSDE. What exactly is a "least priviledge
local account"?
Any other suggestions are most welcome!
Thanks for your help.
leon.
"Andrea Montanari" <andrea.sqlDMO@.virgilio.it> wrote in message
news:2okhj5Fbml6lU1@.uni-berlin.de...[vbcol=seagreen]
> hi Leon,
> "LM" <leonm@.vtn-tech.com> ha scritto nel messaggio
> news:Oe0QyXhhEHA.904@.TK2MSFTNGP09.phx.gbl...
the[vbcol=seagreen]
non-admin
> Local
> for
> usually MSDE is installed setting the relative services account to
> LocalSystem, that provide (far) enought privileges (on the local machine)
> for all logged users...
> have a look at
>
http://msdn.microsoft.com/library/de...l/THCMCh18.asp
> for more restrictions..
> --
> Andrea Montanari (Microsoft MVP - SQL Server)
> http://www.asql.biz/DbaMgr.shtmhttp://italy.mvps.org
> DbaMgr2k ver 0.8.0 - DbaMgr ver 0.54.0
> (my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual
> interface)
> -- remove DMO to reply
>
|||hi Leon,
"LM" <leonm@.vtn-tech.com> ha scritto nel messaggio
news:eO0WPBthEHA.2908@.TK2MSFTNGP10.phx.gbl...
> Hi Andrea,
> By default the services use Local System option for log on. This worked
fine
> for all admin users but did not work for a non-admin user. When a
non-admin
> user logs in (local or domain user), the services won't start using Local
> System. (side note: this is on a WinXP Pro machine). The non-admin user
> cannot start or stop any service.
actually they shoul'd run, as all this is intended to work this way... SQL
Server is run under another privileged account than the current logged
account, which only needs to connect to the specified server and query for
information..
perhaps you have to check your local policies...
> We did get it to work for the non-admin user by using the local
> administrator account for log on (I goofed when trying it the first time
by
> using domain admin password instead of local admin password). This is not
> the way we want to go, but it's the only way it does work right now.
I usually use a local account (not LocalSystem), with enought rights on
relevent share(s) if needed..
> I did find one thing via your link, in the Installation Recommendations:
> "Create a least privileged local account with which to run the SQL Server
> service. Use this account when you are prompted for service settings
during
> setup. Do not use the local system account or an administrator account. "
> There is no prompt when installing MSDE. What exactly is a "least
priviledge
> local account"?
no, there's not... that info is for a full blown SQL Server installation..
you have to set that property after MSDE installed, accessing the services
management applet... perhaps it can be done via WMI, but never tried it..
Andrea Montanari (Microsoft MVP - SQL Server)
http://www.asql.biz/DbaMgr.shtmhttp://italy.mvps.org
DbaMgr2k ver 0.8.0 - DbaMgr ver 0.54.0
(my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual
interface)
-- remove DMO to reply
|||more,
"Andrea Montanari" <andrea.sqlDMO@.virgilio.it> ha scritto nel messaggio
news:2omoccFcfn07U1@.uni-berlin.de...[vbcol=seagreen]
> hi Leon,
> "LM" <leonm@.vtn-tech.com> ha scritto nel messaggio
> news:eO0WPBthEHA.2908@.TK2MSFTNGP10.phx.gbl...
Local[vbcol=seagreen]
they do not have to... set the service's "start at boostrap" property...
Andrea Montanari (Microsoft MVP - SQL Server)
http://www.asql.biz/DbaMgr.shtmhttp://italy.mvps.org
DbaMgr2k ver 0.8.0 - DbaMgr ver 0.54.0
(my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual
interface)
-- remove DMO to reply
|||The instructions on the SQLServer Installation Recommendations say to create
a new user, remove it from the users group and use it for the service login.
We created an "msde" user, removed it from Users group, set it as the Log On
As account (it is listed in the "Log on as a service" policy), gave full
access rights for the data files to Everyone, and it doesn't work.
So you have installed MSDE 2000 A and had its service (MSDE$InstanceName)
starting with a non-admin log in?
If so, you must have some magic touch because we're trying this on 2
separate machines with the same failure on each. We'll be trying it on a
fresh XP install shortly, but I don't really expect different results.
Even when logged into the XP as an administrator, setting the MSDE service
login account to "msde" causes the service to fail on a start attempt. It
gives the following error:
Could not start the MSDE$... service on Local Computer.
Error 5: Access is Denied
How do you access the "start at boostrap" property of a service?
thanks,
leon.
"Andrea Montanari" <andrea.sqlDMO@.virgilio.it> wrote in message
news:2omogoFcbbrgU1@.uni-berlin.de...[vbcol=seagreen]
> more,
> "Andrea Montanari" <andrea.sqlDMO@.virgilio.it> ha scritto nel messaggio
> news:2omoccFcfn07U1@.uni-berlin.de...
> Local
user
> they do not have to... set the service's "start at boostrap" property...
> --
> Andrea Montanari (Microsoft MVP - SQL Server)
> http://www.asql.biz/DbaMgr.shtmhttp://italy.mvps.org
> DbaMgr2k ver 0.8.0 - DbaMgr ver 0.54.0
> (my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual
> interface)
> -- remove DMO to reply
>
|||hi Leon,
"LM" <leonm@.vtn-tech.com> ha scritto nel messaggio
news:%233zBrHvhEHA.644@.tk2msftngp13.phx.gbl...
> The instructions on the SQLServer Installation Recommendations say to
create
> a new user, remove it from the users group and use it for the service
login.
> We created an "msde" user, removed it from Users group, set it as the Log
On
> As account (it is listed in the "Log on as a service" policy), gave full
> access rights for the data files to Everyone, and it doesn't work.
> So you have installed MSDE 2000 A and had its service (MSDE$InstanceName)
> starting with a non-admin log in?
> If so, you must have some magic touch because we're trying this on 2
> separate machines with the same failure on each. We'll be trying it on a
> fresh XP install shortly, but I don't really expect different results.
> Even when logged into the XP as an administrator, setting the MSDE service
> login account to "msde" causes the service to fail on a start attempt. It
> gives the following error:
> Could not start the MSDE$... service on Local Computer.
> Error 5: Access is Denied
I do always use a local admin account, and I never use the special
LocalSystem account, created just for this purpose and never use an actual
local or domain administrator account. The account must be in the local
Administrators group if you're installing SQL Server on Windows NT or
Windows 2000. You can create this account before you begin installing SQL
Server, or you can change the account under which SQL Server runs at a later
time.
Setting less privileges is intended in not using a Domain Admin account for
network protection.
> How do you access the "start at boostrap" property of a service?
in the service management, select Startup Mode = automatic
Andrea Montanari (Microsoft MVP - SQL Server)
http://www.asql.biz/DbaMgr.shtmhttp://italy.mvps.org
DbaMgr2k ver 0.8.0 - DbaMgr ver 0.54.0
(my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual
interface)
-- remove DMO to reply
|||Hi Andrea
Sorry, referring to the automatic service startup as "start at bootstrap"
property is a little different terminology than I am used to. I do
understand the automatic startup option.
We will just include some instructions for setting up the app for non-admin
users.
Thanks for your help.
leon.
"Andrea Montanari" <andrea.sqlDMO@.virgilio.it> wrote in message
news:2ong8qFcg0ccU1@.uni-berlin.de...[vbcol=seagreen]
> hi Leon,
> "LM" <leonm@.vtn-tech.com> ha scritto nel messaggio
> news:%233zBrHvhEHA.644@.tk2msftngp13.phx.gbl...
> create
> login.
Log[vbcol=seagreen]
> On
(MSDE$InstanceName)[vbcol=seagreen]
service[vbcol=seagreen]
It
> I do always use a local admin account, and I never use the special
> LocalSystem account, created just for this purpose and never use an actual
> local or domain administrator account. The account must be in the local
> Administrators group if you're installing SQL Server on Windows NT or
> Windows 2000. You can create this account before you begin installing SQL
> Server, or you can change the account under which SQL Server runs at a
later
> time.
> Setting less privileges is intended in not using a Domain Admin account
for
> network protection.
> in the service management, select Startup Mode = automatic
> --
> Andrea Montanari (Microsoft MVP - SQL Server)
> http://www.asql.biz/DbaMgr.shtmhttp://italy.mvps.org
> DbaMgr2k ver 0.8.0 - DbaMgr ver 0.54.0
> (my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual
> interface)
> -- remove DMO to reply
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment