-
Notifications
You must be signed in to change notification settings - Fork 10
Setup Group Membership
| Previous Setup No SSL v3 | Manual Install | Setup Group Rights Next |
|---|
FineBuild can set up the Group Membership needed on the server for SQL Server.
The SQL Server install process will create a number of Windows groups. These groups are all local groups, except when installed on a Domain Controller when the groups are domain level.
In the days of NT4 it used to be good practice to base server security around local groups. It was common practice to assign permissions to a local group, and then add domain groups and users to the local group so they inherited the permissions of the local group.
With Windows 2008 and above, the NT4 concept of using local groups no longer works. If a domain group or user requires file permissions on a server, then those permissions must be assigned direct to the domain object. Permissions related to services are linked to the SID for that service, not to the local group containing the service account. The local groups created by the SQL Server install process on Windows 2008 should therefore be considered as legacy objects.
The introduction of GPOs with Windows 2000 has provided a standardised method to deploy server security. GPOs can easily incorporate domain groups and well known name local groups (groups called well known have the same security identifier (SID) on all Windows installations). However, it is more complicated to include include arbitrarily named local groups of the type used by SQL Server, so when a GPO is used to control group membership normally only domain groups are used.
The Setup Group Membership configuration can be enforced by Group Policy Management.
Processing of Group Membership relates to Process Id 1EA in the FineBuild1Preparation script, and is always performed automatically.
The following steps show what you would have to do to setup Group Membership manually. FineBuild does all of this work for you automatically.
The local server Group Membership below must be setup:
- FineBuild will configure the group membership below, but any GPO configuration will take precedence
- It is not required for any accounts to be added to the local Administrators group
- These permissions should augment but not replace the site standard membership for these groups
- Membership of the Users group will be restricted by the Setup No Windows Global Access processing
| Local Server Group Name | Group Membership |
|---|---|
| Distributed COM Users | DBA Sysadmin Group |
| DBA Non-Admin Group | |
| SQL Service Accounts | |
| Performance Log Users | DBA Sysadmin Group |
| DBA Non-Admin Group | |
| SQL Service Accounts | |
| Performance Monitor Users | DBA Sysadmin Group |
| DBA Non-Admin Group | |
| SQL Service Accounts | |
| Remote Desktop Users | DBA Sysadmin Group |
| DBA Non-Admin Group | |
| (local) Administrators | |
| Users | DBA Sysadmin Group |
| DBA Non-Admin Group | |
| SQL Service Accounts | |
| All local Administrators users | |
| Cluster Root account | |
| R Services user names |
Copyright FineBuild Team © 2014 - 2018. License and Acknowledgements
| Previous Setup No SSL v3 | Top | Setup Group Rights Next |
|---|
Key SQL FineBuild Links:
SQL FineBuild supports:
- All SQL Server versions from SQL 2019 through to SQL 2005
- Clustered, Non-Clustered and Core implementations of server operating systems
- Availability and Distributed Availability Groups
- 64-bit and (where relevant) 32-bit versions of Windows
The following Windows versions are supported:
- Windows 2022
- Windows 11
- Windows 2019
- Windows 2016
- Windows 10
- Windows 2012 R2
- Windows 8.1
- Windows 2012
- Windows 8
- Windows 2008 R2
- Windows 7
- Windows 2008
- Windows Vista
- Windows 2003
- Windows XP