AGPM 4.0 SP2 - AGPM Service Account Member of Backup Operators

Similar Messages

• SQL server agent job running as Agent Service Account whose service account does not have r/w access but is still able to write?

  Hi. I am newer to SQL server security and am reviewing some of our SQL server's configuration to make sure the services are running under accounts with least privilege.  I have a SQL server 2012 instance whose Agent service is configured to run
  under an AD user account named 'SQLServices'.  The jobs on this server are configured to run as 'SQL server agent service account', which means they should execute as user 'SQLServices'.  The jobs are set up to execute SSIS packages which read and
  write to a database on the same server where the agent job is scheduled and SSIS package installed (all on same server).  The jobs are currently executing without error and are reading writing data correctly.  Upon close examination, it turns out the
  SQLServices account is not assigned to the 'sysadmin' role and had no users mapped to any databases on this server.  How are these jobs working?  I verified in profiler that the login name indeed is 'SqlServices'.  I also verified
  that SQLServices login has no database access by remote-ing onto the server and trying to log into the DB, and access was denied as expected.  According to the literature, the Agent service needs to be a member of 'sysadmin role' but I am reading
  some cases where that is not necessarily the case.  So this is not so concerning.  What is concerning is that the login 'SQLServices' had no access to the databases on that server yet it is reading and writing to the databases as if it does. 
  The only thing I can think of is maybe jobs run as 'SQL server agent service account' on the same server as the databases it r/w to somehow has some kind of default access.  What am I missing here?  Any input would be helpful.

  After 2 days on this forum I found the answer to my own question.  In retrospect, I should have posted this under 'SQL Server Security', but I didn't know it existed.
  The 2 threads below explain that Sql agent actually runs using SID (service) NT SERVICE\SQLSERVERAGENT if you chose that when you installed.  This will automatically create an associated login NT SERVICE\SQLSERVERAGENT in SQL server with sqladmin
  role.  This is the login that Agent uses to connect to the local instance of SQL server.  If you changed to domain account to run the service during install or after using config manager, basically NT SERVICE\SQLSERVERAGENT is still
  used to connect to your local instance behind the scenes (even though you will still see your domain user as account), and the domain account is used to reach outside the server. 
  https://social.msdn.microsoft.com/Forums/sqlserver/en-US/9e6bb2de-8fd0-45de-ab02-d59bbe05f72e/servicedatabase-accounts-nt-servicemssqlserver-nt-servicesqlserveragent-what-are-they-for
  https://social.technet.microsoft.com/Forums/sqlserver/en-US/b83a52fd-fe11-4c28-a27b-88be8ae79f2a/how-do-i-change-sql-server-agent-service-account-to-nt-servicesqlserveragent?forum=sqlsecurity

• Error occurred while accessing application id Excel services application unattended service account from secure store service

  Hi,
    I follow up the book "Professional SharePoint 2013 Administration" to build the SharePoint 2013 BI include Excel Services. and created the Secure Store services to save the user SP_Install for member.
  For Now, I can upload the worksheet and open it in browser, but when I tried to refresh it, the SP 2013 show error "Error occurred while accessing application id Excel services application unattended service account from secure store service".
   does anybody can help ? and do I need to turn on C2WTS ? 
  Thanks
  James Liang

  Hi James,
  Excel Services can be used with Secure Store in three primary scenarios:
  Unattended Service Account
  Embedded Connections
  External Data Connections
  If you haven't configure unattended service account yet, you could refer to the article below:
  http://technet.microsoft.com/en-us/library/hh525344(v=office.15).aspx
  More information:
  http://technet.microsoft.com/en-us/library/ff191191(v=office.15).aspx
  Regards,
  Rebecca Tu
  TechNet Community Support

• SCVMM 2008 R2 - "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS)."

  I know this question has been asked before, but never for R2, that I can tell, and the posted fixes aren't working. I have just installed SCVMM 2008 R2 on a Windows Server 2008 R2 server, using a remote SQL 2008 SP1 database. When I attempt to connect to SCVMM, I get the following error:
  "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
  Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see "Some applications and APIs require access to authorization information on account objects" in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=121054.
  ID: 2607"
  What I've seen online is that this is usually becuase the domain account SCVMM is running as does not have the proper permissions on the SQL database. Here's what I've confirmed:
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still "doesn't have access to AD DS," which is obviously untrue)
  5) Neither service account is locked out
  Has anyone run in to this? It says in Technet that remote SQL 2008 is supported, as long as the SQL management studio is installed to the SCVMM server, and I installed and patched before I began the SCVMM installation. I just don't know what else to try - I have no errors in event logs, no issues during the installation itself...
  Andrew Topp

  That answer was very unhelpful fr33m4n. The individual mentions that they've received the error that points to the KB article. I currently receive the same error -- there seems to be no resolution. I've run the Microsoft VBS script to add TAUG to the WAAG
  as suggested by 331951, and that made absolutely no difference.
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still
  "doesn't have access to AD DS," which is obviously untrue)
  The user is also a member of WAAG, the machines have delegated authority to each other. Is there any other solution?

• Query relating to the creation of Managed Service Accounts

  Hi Folks
  I am studying for my 70-411 exam and have a query relating to the creation of Managed Service Accounts.
  I have successfully created an MSA account named 'MSATest' on a DC  using:
   new-adserviceaccount -name msatest –dnshostname home-dc-01 -passthru
  and
   add-AdcomputerServiceAccount -identity home-ap-01 -serviceaccount msatest -passthru
  However the guide that I am using now says that I now need to run:  Install-ADServiceAccount on the host computer in the domain to install the MSA in order to make available it available for use by services.
  So on my member server (home-ap-01) I have installed the Active Directory Module for powershell and ran:
  PS C:\Users\administrator.PCECORP> Install-ADServiceAccount -Identity msatest
  Install-ADServiceAccount : Cannot install service account. Error Message: 'An
  unspecified error has occurred'.
  At line:1 char:1
  + Install-ADServiceAccount -Identity msatest
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : WriteError: (msatest:String) [Install-ADServiceA
     ccount], ADException
      + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:Install
     ServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.Insta
    llADServiceAccount
  PS C:\Users\administrator.PCECORP>
  However this errors, Have I misunderstood the purpose of the Install-ADServiceAccount ?  or am I doing something wrong?
  Thanks in advance for you help.

  Try using  -RestrictToSingleComputer parameter when creating service account with New-ADServiceAccount.
  Gleb.
  Hi Gleb
  Thank you for your help, it is appreciated.  That did the trick.
  All the best.

• Scheduled Task as Service Account - Failed to Start 2147943785

  I am attempting to run some powershell scripts that update membership of groups based on role attribute on users, then also grabs members of some groups and updates other groups with these members.
  I've delegated access through "security" to give this service account write:member and write:memberof for the Groups OU and write:memberof for the OUs containing the user accounts.
  I've updated my Default Domain Policy to give this service account Log On As Batch Job permissions.
  The scheduled task is running from a Domain Controller.
  When I attempt to run the task as the service account I receive the following:
  Task Scheduler failed to start "\SITE Role Membership" task for user "DOMAIN\GroupScripts$". Additional Data: Error Value: 2147943785.
  What am I missing here?

  Hi Allister,
  Please follow these steps t troubleshoot:
  Type "gpedit.msc", try to configure the following policy:
   [Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment]
  1.  Log on as a batch job.
  2.  Allow log on locally.
  Add the service sccount domain\username to these two policies.
  Refer to:
  Task Scheduler failed to start - Additional
  Data: Error Value: 2147943785
  If there is anything else regarding this issue, please feel free to post back.
  Best Regards,
  Anna Wang

• SQL 2012 service accounts best practice

  I'm installing SQL Server 2012 for ConfigMgr 2012 r2 and I wonder what is the best practice for SQL service accounts.
  During the installation of SQL Server, in the server configuration/Service accounts menu I'm allowed to configure following service accounts: SQL Server Agent, SQL Server Agent Database Engine, SQL Server Reporting Services, SQL Server Browser.
  Do I have to create separate domain user (not admin) accounts for each service and configure service principal name (SPN) for all of them?
  For example: Domain user account named SQLSA for SQL Server Agent, another domain user account
  SQLADBE for SQL Server Agent Database Engine etc.

  During the installation of SQL Server 2012, the user is prompted to provide service account
  credentials. The default service accounts suggested vary depending on whether SQL Server
  2012 is installed on a computer running Windows Vista or Windows Server 2008 or on a computer
  running Windows 7 or Windows Server 2008 R2. On computers running Windows Vista
  or Windows Server 2008 operating systems, the following default service accounts are used:
  - NETWORK SERVICE Database Engine, SQL Server Agent, Analysis Services,
  Integration Services, Reporting Services, SQL Server Distributed Replay Controller,
  SQL Server Distributed Replay Client
  - LOCAL SERVICE SQL Server Browser, FD Launcher (Full-Text Search)
  - LOCAL SYSTEM SQL Server VSS Writer
  On computers running Windows 7 or Windows Server 2008 R2 operating systems, the following
  default accounts are used:
  - Virtual Account or Managed Service Account Database Engine, SQL Server Agent,
  Analysis Services, Integration Services, Replication Services, SQL Server Distributed
  Replay Controller, SQL Server Distributed Replay Client, FD Launcher (Full-Text Search)
  - LOCAL SERVICE SQL Server Browser
  - LOCAL SYSTEM SQL Server VSS Writer
  For Windows 7 and Windows Server 2008 R2, you can use a Managed Service Account
  (MSA) or a Managed Local Account. The differences between these account types are as
  follows:
  - Managed Service Account (MSA) This special kind of domain account managed
  by a domain controller is assigned to a single member computer and used for running
  services. The MSA password is managed by the domain controller. MSAs can register
  a Service Principal Name (SPN) with Active Directory. MSAs use a $ name suffix; for
  example, CONTOSO\SQL-A-MSA$. You must create the MSA prior to running SQL
  Server Setup if you want to use an MSA with SQL Server services.
  - Virtual Accounts or Managed Local Accounts These virtual accounts can access
  the network in a domain environment and are used by default for service accounts
  during SQL Server 2012 setup when run on Windows 7 or Windows Server 2008 R2.
  Such accounts use the NT SERVICE\<SERVICENAME>format. You don’t need to specify
  a password when using virtual accounts with SQL Server 2012 because this is handled
  automatically by the operating system.
  You should run SQL Server services, using the minimum possible user rights, and use an
  MSA or virtual account when possible. If you are manually configuring service accounts, use
  separate accounts for different SQL Server services. If it is necessary to change the properties
  of service accounts used for SQL Server 2012, use SQL Server tools such as SQL Server
  Configuration Manager. This ensures that all necessary dependencies are
  updated, which does not happen if you use only the Services console.
  Although you can configure domain accounts as service accounts, this strategy requires
  more effort because you must ensure that service account passwords are changed regularly.
  You must also manage SPNs, which are required for Kerberos authentication.
  Best regads
  P.Ceglie

• RMS Service Account ConnectionString

  Hi All
  Windows 2003 SP2, RMS 1.0 SP2, Microsoft SQL Server 2008
  I am unable to change the RMS Service Account via the Admin page.  Submitting the change fails with 'The ConnectionString property has not been initialized'.  I'm logged on with a Domain Account and have SA on the DB. 
  Cheers
  MSR

  Perhaps not applicable, but I was getting this error after upgrading from Server 2008 to Server 2008 R2.  It turns out that the '2.0' registry hive under HKLM\Software\Microsoft\DRMS was missing and I had to import it from a backup that I had (alternatively,
  it would appear that you can make a '2.0' hive and just copy the contents of the DRMS hive down into it since it looks like they just moved everything up a level).

• Error 17058 Unable to start a service account on MSSQLServer and SQL Agent

  hi
  I am intalling SQL 2008 standard with SP1 on a Windows Server 2003 R2 SP2.
  I installed as  "local service account" for MSSQLServer (SQL database engine) and SQL agent.
  But I want to change to "service account" as [domain\svc_XXX] for MSSQLserver and SQL agent.
  I add the [domain\svc_XXX]  in local security policy - "Log as a service"
  and also add in SSMS - Security - New Login (windows authentication.
  When I started the MSSQLserver and SQL agent using the [domain\svc_XXX], I got an error 17058.  Initerrlog: could not open error log file."  Operating system error=3 (The system cannot find the path specified).
  I don't know where else to look at..
  Also, how do I find the cumulative service pack for SQL server 2008 standard?
  thanks
  Irene

  Hi Irene:
  By seeing your error message "When I started the MSSQLserver and SQL agent using the [domain\svc_XXX],
  I got an error 17058.  Initerrlog: could not open error log file."  Operating system error=3 (The system cannot find the path specified)."
  Please provide access to domain\svc_XXX on
  log file directory.
  Thanks,
  Satish Kumar.
  Thanks, Satish Kumar. Please mark as this post as answered if my anser helps you to resolves your issue :)

• Service account for Windows Update sync

  Hi all,
  I would like to know if it's possible to change service account used by WSUS 2008R2 SP1 to sync with Windows Update servers, and if so how.
  Thanks. Have a good day.
  FXE

  Hi,
  Do you want to use the different account for the WSUS management? Is so, that account must be a member of either the WSUS Administrators or the local Administrators security
  groups on the server on which WSUS is installed in order to use the WSUS console.
  The related KB:
  Step 4: Configure and Synchronize WSUS
  http://technet.microsoft.com/en-us/library/cc708455(v=ws.10).aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Default ZAM 10 Windows Service Accounts

  Hi there,
  My customer's security department did a review and noticed some strangely named service accounts in this Windows 2008 member server running just ZAM 10. They would like to get more info on these accounts but we could find none in the documentation.
  Here is part of the conversation:
  Our security people are questioning some logon accounts used by Novell Zam/ZCM on servers. (See Below). It has proven impossible so far to find definitive info about these accounts possibly due to Google not liking the format of the account name. The account used on the main server is slightly different (.\__z_1_200__). These accounts were created by Zam on install. Any information on them would be greatly appreciated and in particular the rights they require on the server.
  There is a strange local admin user set up <server-name>.
  The account is called _z_1_80_ . Does anyone know what it is?
  It must be created as part of the zcm product that is installed on this server. The server <another-server> also has an account like this and this has zcm installed also.
  Also is a screen shot of the services aplet.
  cheers,
  Kirk

  They are created during the install for using in various ZEN Services.
  There is nothing special about the accounts other than that they are
  local administrators.
  The Services using those accounts can be changed to use another local
  administrators accounts by using the services control panel.
  On 7/21/2010 11:46 AM, kmaule wrote:
  >
  > Hi there,
  >
  > My customer's security department did a review and noticed some
  > strangely named service accounts in this Windows 2008 member server
  > running just ZAM 10. They would like to get more info on these accounts
  > but we could find none in the documentation.
  >
  > Here is part of the conversation:
  >> Our security people are questioning some logon accounts used by Novell
  >> Zam/ZCM on servers. (See Below). It has proven impossible so far to find
  >> definitive info about these accounts possibly due to Google not liking
  >> the format of the account name. The account used on the main server is
  >> slightly different (.\__z_1_200__). These accounts were created by Zam
  >> on install. Any information on them would be greatly appreciated and in
  >> particular the rights they require on the server.
  >>
  >>
  >> There is a strange local admin user set up<server-name>.
  >> The account is called _z_1_80_ . Does anyone know what it is?
  >> It must be created as part of the zcm product that is installed on
  >> this server. The server<another-server> also has an account like this
  >> and this has zcm installed also.
  >
  > Also is a screen shot of the services aplet.
  >
  > cheers,
  > Kirk
  >
  >
  > +----------------------------------------------------------------------+
  > |Filename: ZAM10WindowsServices.jpg |
  > |Download: http://forums.novell.com/attachment....achmentid=4626 |
  > +----------------------------------------------------------------------+
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Knowledge Partner
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• I am trying to register an account member to have access to the back up assistant for the account members line

  I am trying to register a line on my account as an account member, how do I do that?

  Go to www.verizonwireless.com and click on the blue Register (under the sign-in box) and follow the prompts for the phone number that needs MyVerizon access.

• How to Block Account member in input reporting for some users?

  Hi experts, i need to know if is possible to block input of values for some Users in the Account Dimension so that some users can input value in the report but other user cant do it.
  I try to do this from "member access profile" but this option only allow you to define access right for one specifict parent o member.
  I mean, is posible to asigned to Account Dimension a Propertie type "OWNER" like ENTITY?
  For example: one user must to input value for the Account member "CASH", but other user dont, however i have to show the same input reporting for both users.
  I hope understand the question, im sorry about my english
  thank you in advance
  Ignacio Vazquez

  I would think you could do one of the following:
  Either set account as a secured dimension.  You would then define security profiles for all account groups and assign those to your users / teams as appropriate.  Would take a while to setup initially, but if your users don't change that much it shouldn't be too difficult to manage once it's done.
  Setup different input templates that only showed the accounts you wanted each group of users to see.  Put the templates in different site folders and assign access to those sites as required.  users would then only have access to open the template applicable to them.  Would require that you basically make duplicate copies or your current template, modify and save to different site folders which could become a pain if the template requires changes (since you would now have to make the same change multiple times).
  Setup a macro in the current template so that you need to enter a password to unlock the send commands for the respective accounts.  I don't know if it can be setup to support multiple passwords - assuming it can, password 1 would unlock all accounts, password 2 would only unlock CASH accounts, password 3 would only unlock LIABILITY accounts, etc.  You then distribute the passwords to the users as appropriate.
  Hope that helps.

• How to add a service account in SQL Server to display the "Service Account Name" and "Display Name"

  Can someone
  help with steps on how to add the following in SQL Server 2012 environments?<o:p></o:p>
  "Service Account Name" and "Display Name"<o:p></o:p>
  Your help will be greatly appreciated.<o:p></o:p>
  leonie6214

  Hello,
  Is the following article what you are looking for?
  http://msdn.microsoft.com/en-us/library/ms345578.aspx
  If not, could you explain a little bit more what you want to accomplish?
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• EWS API - Impersonating to update a calendar item created by any other user than a service account, raise an error "Access is denied. Check credentials and try again."

  Hi,
  I am new to using EWS managed APIs.
  Following is the issue:
  1. I am using a service account e.g. [email protected]. This user is a global administrator and also has ApplicationImpersonation role assigned. (Sign into Online Office 365 account -> Admin -> select "Exchange" tab- > select Permissions
  on the left panel -> create an impersonation role -> assign ApplicationImpersonation in Roles: and [email protected] in Members: -> Click on save)
  2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected].
  3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
  I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
          private static void Impersonate(string organizer)
              string impersonatedUserSMTPAddress = organizer;
              ImpersonatedUserId impersonatedUserId =
                  new ImpersonatedUserId(ConnectingIdType.SmtpAddress, impersonatedUserSMTPAddress);
              service.ImpersonatedUserId = impersonatedUserId;
  4. It was working fine till yesterday afternoon. Suddenly, it started throwing an exception "Access is denied. Check credentials and try again." Whenever I try to
  update that event.
         private static void FindAndUpdate(ExchangeService service)
              CalendarView cv = new CalendarView(DateTime.Now, DateTime.Now.AddDays(30));
              cv.MaxItemsReturned = 25;
              try
                  FindItemsResults<Item> masterResults = service.FindItems(WellKnownFolderName.Calendar, cv);
                  foreach (Appointment item in masterResults.Items)
                      if (item is Appointment)
                          Appointment masterItem = item as Appointment;
                          if (!masterRecurEventIDs.Contains(masterItem.ICalUid.ToString()))
                              masterItem.Load();
                              if (!masterItem.Subject.Contains(" (Updated content)"))
                                  //impersonate organizer to update and save for further use
                                  Impersonate(masterItem.Organizer.Address.ToString());
                                  // Update the subject and body
                                  masterItem.Subject = masterItem.Subject + " (Updated content)";
                                  string currentBodyType = masterItem.Body.BodyType.ToString();
                                  masterItem.Body = masterItem.Body.Text + "\nUpdated Body Info:
  xxxxxxxxxxxx";
                                  // This results in an UpdateItem operation call to EWS.
                                  masterItem.Update(ConflictResolutionMode.AutoResolve);
                                  // Send updated notification to organizer of an appointment
                                  CreateAndSendEmail(masterItem.Organizer.Address.ToString(), masterItem.Subject);
                                  masterRecurEventIDs.Add(masterItem.ICalUid.ToString());
                              else
                                  Console.WriteLine("Event is already updated. No need to update again.:\r\n");
                                  Console.WriteLine("Subject: " + masterItem.Subject);
                                  Console.WriteLine("Description: " + masterItem.Body.Text);
              catch (Exception ex)
                  Console.WriteLine("Error: " + ex.Message);
  5. What could be an issue here? Initially I thought may be its a throttling policy which is stopping same user after making certain API call limits for the day, but I am still seeing this issue today.
  Any help is appreciated.
  Thanks

  Your logic doesn't sound correct here eg
  2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected]
  3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
  I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
  When your connecting to [email protected] mailbox the only user that can make changes to items within
  abccalendar is abc (or ABC's delegates). If your impersonating the Organizer of the appointment pqr that wouldn't work unless the organizer had rights to abc's calendar. If you want to make updates to a calendar
  appointment like that you should connect to the Organizers mailbox first update the original, send updates and then accept the updates.
  When you impersonate your impersonating the security context of the Mailbox your impersonating so its the same a logging on as that user in OWA or Outlook.
  Cheers
  Glen