none
Configuring SQL Server agent proxy user rights via group policy

    Question

  • In the following article: https://msdn.microsoft.com/en-us/library/ms191543(v=sql.105).aspx which discusses configuring a domain user for running SQL Server services, in the section where it discusses what user rights the user requires to support SQL Server agent proxies the following user rights are listed:

    SeChangeNotifyPrivilege

    SeAssignPrimaryTokenPrivilege

    SeIncreaseQuotaPrivilege

    SeBatchLogonRight

    However when I look at secpol on a server with SQL Server installed the SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege rights both have a couple service users/groups that seem local and I'm not sure I can specify in group policy - in particular each server has a principal named SQLServerSQLAgentUser$ServerName$MSSQLSERVER (where ServerName is the name of the server); so obviously with this being unique to each server I'm unable to specify it in group policy.

    Any ideas how I should approach this?

    Monday, September 21, 2015 11:07 PM

All replies

  • Hi Daniel Corkill,

    Thanks for your post.

    If you want to support SQL Server Agent proxies, you need to assign the SQL Server Agent service account additional permission. If these permission are not assigned, only members of the sysadmin fixed role will be able to create jobs. You can assign these permissions by using the following policies, found in the computer configuration\policies\windows settings\Security settings\Local Policies\User Rights Assignment

    https://technet.microsoft.com/en-us/library/dn221963.aspx

    But in the link you provide it also mentioned:  The account must be a member of the sysadmin fixed server role. I'm sorry that I'm not familiar with the setting about SQL. So you may also post in SQL server Forum to ask whether it needs to assign these permissions by group policy additionally.

    If you have any problems relate to group policy feel free to contact us.

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 22, 2015 7:26 AM
    Moderator