locked
SQL MP Run As Account RRS feed

  • Question

  • Hi All,

    We are monitoring SQL servers with SCOM R2 with latest MP. Agents are installed with Local system account. The local system account in sql boxes is having SA rights. But I keep getting the below alert for a sql server.

    "Run As Account does not exist on the target system or does not have enough permissions"

    Managegement Group: XXXXXXX. Script: GetSQL2008DBFileGroupFreeSpace.vbs : Cannot login to database [XXXXXXXXX.XXX][XXXXX:master]

    Any help on this is much appreciated.

     

    Thanks, Sarav


    Thanks, Sarav
    Friday, May 6, 2011 1:12 AM

Answers

  • Local admins can easily gains access into SQL when the local system account is SA (only true when local admins are denied, default local admins can access it anyway).

    However a domain account can easily be used to gain access to SQL whoever controls the account.

    So who do you trust?

     

    I also prefer the system account and will only setup a SQL Run as account when i really need to (never so far :)).


    Rob Korving
    http://jama00.wordpress.com/
    • Marked as answer by Dan Rogers Friday, May 13, 2011 4:30 PM
    Wednesday, May 11, 2011 2:35 PM

All replies

  • You should double check the permissions for the local system account. Perhaps the DBA has restricted permissions on the master database?
    Regards,
    Marc Klaver
    http://jama00.wordpress.com/
    Friday, May 6, 2011 7:42 AM
  • Hi Sarav

    The other thing to check is with there are any databases on the SQL Server set to auto-close (especially if this is SQL Express). I have found that with a database that is closed, this alert gets thrown as well (I guess OpsMgr can't login as the database is closed). It is unlikely to be the case as the database specified in your error is master but might be worth a check.

    Cheers

    Graham


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Friday, May 6, 2011 10:35 AM
  • No, Auto close is not enabled in any of the database. Also using the local system account which is having SA admin rights.

    Not sure why am getting this alert.

     

    Thanks, Sarav


    Thanks, Sarav
    Saturday, May 7, 2011 10:16 PM
  • First check specifically for the rights on the master database to start with. Just to make sure.
    Bob Cornelissen - BICTT (My BICTT Blog)
    Sunday, May 8, 2011 9:19 AM
  • The account has all the permissions in the database.

     

    Thanks, Sarav


    Thanks, Sarav
    Sunday, May 8, 2011 5:42 PM
  • LocalSystem can not be used to monitor SQL servers.  You must follow the directions in the guide to set up a run-as-account for the SQL computers.
    Microsoft Corporation
    Monday, May 9, 2011 3:48 PM
  • LocalSystem can not be used to monitor SQL servers.  You must follow the directions in the guide to set up a run-as-account for the SQL computers.

    This is not entirely true. Default the system account no longer has sufficient rights. But it can be the system account that is monitoring your SQL server, it just needs the correct access rights to the databases.
    Regards,
    Marc Klaver
    http://jama00.wordpress.com/
    Monday, May 9, 2011 4:50 PM
  • I second the remark made by Marc. I am monitoring hundreds of SQL boxes with LocalSystem. But it must have some rights in SQL in some cases, otherwise it cant monitor deep enough. You will see an alert in scom when this happens by the way.
    Bob Cornelissen - BICTT (My BICTT Blog)
    Monday, May 9, 2011 4:53 PM
  • what kind of permission it required on the SQL? If I use the local system account?
    Thanks, Sarav
    Monday, May 9, 2011 5:59 PM
  • As long as the connection method does not require using the network - e.g. connect string uses . instead of FQDN, named pipes are not used, etc, then localsystem May have a chance of working assuming you give it enough super-user rights.

     


    Microsoft Corporation
    Monday, May 9, 2011 7:17 PM
  • sql sysadmin role rights would do it for the system account. so in short a lot of rights. but it is system so I dont have that much problems with that to be honest.
    Bob Cornelissen - BICTT (My BICTT Blog)
    Tuesday, May 10, 2011 4:18 PM
  • If you look at what the SQL MP guide tells us:

    To configure a Run As Account with the minimum set of permissions required for SQL Server monitoring purposes, the following permissions are required: the account must be a member of the monitored computer’s built-in Administrators group and Performance Monitors Users group, and it must be a member of the SysAdmin role within the instance or instances of SQL Server being monitored.

     

    I think you would even be better off using a local system account :)

    Especially if you use domain accounts for multiple SQL servers.


    Regards,
    Marc Klaver
    http://jama00.wordpress.com/
    Wednesday, May 11, 2011 1:04 PM
  • Local admins can easily gains access into SQL when the local system account is SA (only true when local admins are denied, default local admins can access it anyway).

    However a domain account can easily be used to gain access to SQL whoever controls the account.

    So who do you trust?

     

    I also prefer the system account and will only setup a SQL Run as account when i really need to (never so far :)).


    Rob Korving
    http://jama00.wordpress.com/
    • Marked as answer by Dan Rogers Friday, May 13, 2011 4:30 PM
    Wednesday, May 11, 2011 2:35 PM
  • Same here. If I can use the localsystem account I will use that one. Normally it either works or you need to assign the local system account the sysadmin rights in the sql instance and you are ready. No need for additional accounts which can generate trouble as well (especially if password is reset or expired ofr whatever). And of course you dont need to create the system account :-) Saves some work.

    In any case Sarav, I think your question will be answered now. Good luck!


    Bob Cornelissen - BICTT (My BICTT Blog)
    Wednesday, May 11, 2011 2:42 PM