Hi,
Our developers have machines in an OU that removes the log on as service right from local accounts. This means that the default SQL Server 2012 install will not work. For example, the integration services service using "NT SERVICE\MsDtsServer110" will fail to start once group policy is applied. I'm trying to follow the rules of using the least privilege required. (Our servers are in a OU that does not remove rights installed by SQL setup, so local accounts are fine there.)
I have asked out AD administrators to consider altering group policy to allow the service SIDs to have the rights required by SQL Server. However, it appears how to allow local accounts rights in group policy is not obvious. I have to wonder what is best to do in this scenario. Is it less secure to use the least privileged service accounts if group policy has to be opened to allow all local accounts to have the rights? Should we create an OU for developers? Can group policy allow just the service SIDs to retain the rights needed? Any advice is appreciated.
Thanks,
Randy
Randy in Marin