29 Ocak 2008 Salı

The SQL Server Management Pack automatically installs two Run As Profiles: the SQL Server Discovery Account and the SQL Server Monitoring Account. Unless you specify accounts for these two profiles, the Management Pack will use the Default Action Account.

Low-Privilege Environments
To configure your system to restrict access to SQL Server functions, you change Run As Profiles to use low-privilege accounts. This action restricts the level of access that the Management Pack and Operations Manager 2007 operators have on monitored computers running SQL Server. Conversely, if the default action account is too restricted to discover and monitor SQL Server, you can change Run As Profiles to use accounts with elevated privileges.
The minimum required permissions for monitoring objects are DBO privileges.
The minimum requirements for discovery are described in the following table.


Read more!

Discovery Target

Description

Database Engine, Reporting Services, Analysis Services

The Run As Account must be able to do the following:

Read registry keys under HKLM\SoftwareMicrosoft\MicrosoftSQLServer

Connect to and read from WMI Namespace root/cimv2

Connect to and read from WMI Namespace/root/Microsoft/SqlServer

Agents

The Run As Account must be able to do the following:

Connect to and read from WMI Namespace/root/cimv2

Databases

The Run As Account must be able to do the following:

Have connect right to all databases in the instance (sp_helpdb"dbname")

Select from sys.databases table

File and FileGroup

The Run As Account must be able to do the following:

Have connect right to all databases in the instance (sp_helpdb"dbname")

Jobs

The Run As Account must be able to do the following:

Run sp_help_job in the msdb database

Replication components

The Run As Account must be able to do the following:

Run the following stored procedures.

sp_get_distributor

sp_helpdistributorsp_distpublisher

Select from the sys.databases table

Replication publications and subscriptions

The Run As Account must be able to do the following:

Run sp_helppullsubscription (Requires sysadmin or db_owner role)

Run sp_helppublication
Gönderen F1 zaman: 01:21

1 yorum:

Steve dedi ki...

Hi, I was wondering if you're restricting the action account monitoring SQL instances to dbo only. E.g. and removed Builtin/Administrators from the SysAdmin role also.

Reason I'm interested is that I did this as a test and can't get SQL to pick up all the monitoring info. I logged a case with Microsoft and they confirmed that you need Sysadmin for the agent action acct to pull back all the monitoring info.

I'm wondering if I'm alone in this so far!

Thanks, Steve

22 Ekim 2008 03:54

Yorum Gönder

Kaydol: Kayıt Yorumları (Atom)