Setup Group Membership - SQL-FineBuild/Common GitHub Wiki
| Previous Setup No SSL v3 | Manual Install | Setup Group Rights Next |
|---|
FineBuild can set up the Group Membership needed on the server for SQL Server.
The SQL Server install process will create a number of Windows groups. These groups are all local groups, except when installed on a Domain Controller when the groups are domain level.
In the days of NT4 it used to be good practice to base server security around local groups. It was common practice to assign permissions to a local group, and then add domain groups and users to the local group so they inherited the permissions of the local group.
With Windows 2008 and above, the NT4 concept of using local groups no longer works. If a domain group or user requires file permissions on a server, then those permissions must be assigned direct to the domain object. Permissions related to services are linked to the SID for that service, not to the local group containing the service account. The local groups created by the SQL Server install process on Windows 2008 should therefore be considered as legacy objects.
The introduction of GPOs with Windows 2000 has provided a standardised method to deploy server security. GPOs can easily incorporate domain groups and well known name local groups (groups called well known have the same security identifier (SID) on all Windows installations). However, it is more complicated to include include arbitrarily named local groups of the type used by SQL Server, so when a GPO is used to control group membership normally only domain groups are used.
Group Policy Management
The Setup Group Membership configuration can be enforced by Group Policy Management.
FineBuild Group Membership Processing
Processing of Group Membership relates to Process Id 1EA in the FineBuild1Preparation script, and is always performed automatically.
Manual Setup Group Membership Processing
The following steps show what you would have to do to setup Group Membership manually. FineBuild does all of this work for you automatically.
The local server Group Membership below must be setup:
- FineBuild will configure the group membership below, but any GPO configuration will take precedence
- It is not required for any accounts to be added to the local Administrators group
- These permissions should augment but not replace the site standard membership for these groups
- Membership of the Users group will be restricted by the Setup No Windows Global Access processing
| Local Server Group Name | Group Membership |
|---|---|
| Distributed COM Users | DBA Sysadmin Group |
| DBA Non-Admin Group | |
| SQL Service Accounts | |
| Performance Log Users | DBA Sysadmin Group |
| DBA Non-Admin Group | |
| SQL Service Accounts | |
| Performance Monitor Users | DBA Sysadmin Group |
| DBA Non-Admin Group | |
| SQL Service Accounts | |
| Remote Desktop Users | DBA Sysadmin Group |
| DBA Non-Admin Group | |
| (local) Administrators | |
| Users | DBA Sysadmin Group |
| DBA Non-Admin Group | |
| SQL Service Accounts | |
| All local Administrators users | |
| Cluster Root account | |
| R Services user names |
Copyright FineBuild Team © 2014 - 2018. License and Acknowledgements
| Previous Setup No SSL v3 | Top | Setup Group Rights Next |
|---|