Hi,
I need advice on how to correctly apply permissions to a SQL Server instance. Does this sound correct?
1) Apply local permissions to the local group (e.g., SQLServerMSSQLUser$compername$instance) when possible.
2) Apply other local permissions to the service SID (e.g., NT SERVICE\MSSQL$instance).
3) Apply domain level permissions (e.g., remote servers and active directory) to the domain service account.
Is a service SID ever used when setting permissions in AD?
We had a SQL Server failing to use NTLM or Kerberos. The SPNs were wrong. (No idea how that happened.) We fixed them manually. We granted the domain service account the rights to handle the SPN. (Not tested yet.) I'm not an AD person, so I don't know what account is really correct to use in this case.
I also noticed that the service SID value for the SQL service is the same across machines if they have the same instance name. I suppose that if this SID could be used in AD, then it would apply to all servers with that instance name?
Is there an easy way to test if the all the permissions are in place? Our group policy is customized in the OU for SQL Servers so that the local group rights installed by SQL are not removed. (Policy might be okay most of the time, but that does not mean it's been okay all of the time or the machine was not in the wrong OU at some point since the SQL install.)
Can group policy remove rights from a service SID in the same way as other accounts?
Thanks
Randy in Marin