Get rights for Server service account on exchange servers

Similar Messages

• Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts

  Hi Folks,
  I am an experienced .NET apps developer who has been tasked with writing a bunch of technical controls for all the SQL Server instances on a domain.
  So for the last month I have been diving in the deep end learning Powershell, dba and infrastructure tasks. This is still a work in progress, so be kind to me.. ;o)
  So the task I am stuck on is described in the section on 'Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts' http://technet.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
  I have not been able to find cmdlets that gives me this information. I have found some exes which come frustratingly close like NTRights.exe. This lets me specify a computer name which is great, but only seems to let you set or deny permissions, not just
  list them!
  Any help with this would be very much appreciated as I am firmly stuck. As per comments above also bear in mind that up until around 1.5 months ago I had never used powershell / knew very much at all about SQL server admin etc. Feeling much more comfortable
  with them now, but much less so with Active Directory/ windows permission structures etc so please can I ask anyone kind enough to reply to try and keep the acronyms down as much as humanly possible.. ;o)
  Cheers 
  Kieron

  Hi Kieron,
  Take a look at this module, it makes permissions much easier to work with than what's currently available:
  https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• SQL Server Service account setup

  Yes, you would have to create a login for it. See your other post for info about the error you're getting.

  I am currently running MS SQL 2008 R2 on a Windows Server 2008 R2 box.  The SQL services are currently running under the NetworkService account and I want to change this to a domain account but I am having some trouble.  I have created the domain account and have tried to go into SSCM and change the account there but I get various errors depending on the service I try to change.  When changing the account on the SQL Server Service I get an error "Access is Denied"
  I am assuming I need to assign some rights to this new account BUT I thought changing the account in SSCM would do that automatically but it looks like that assumption is wrong.
  What is the best procedure for changing the SQL Server Service account to a domain account on SQL Server 2008?
  This topic first appeared in the Spiceworks Community

• SCVMM 2008 R2 - "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS)."

  I know this question has been asked before, but never for R2, that I can tell, and the posted fixes aren't working. I have just installed SCVMM 2008 R2 on a Windows Server 2008 R2 server, using a remote SQL 2008 SP1 database. When I attempt to connect to SCVMM, I get the following error:
  "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
  Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see "Some applications and APIs require access to authorization information on account objects" in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=121054.
  ID: 2607"
  What I've seen online is that this is usually becuase the domain account SCVMM is running as does not have the proper permissions on the SQL database. Here's what I've confirmed:
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still "doesn't have access to AD DS," which is obviously untrue)
  5) Neither service account is locked out
  Has anyone run in to this? It says in Technet that remote SQL 2008 is supported, as long as the SQL management studio is installed to the SCVMM server, and I installed and patched before I began the SCVMM installation. I just don't know what else to try - I have no errors in event logs, no issues during the installation itself...
  Andrew Topp

  That answer was very unhelpful fr33m4n. The individual mentions that they've received the error that points to the KB article. I currently receive the same error -- there seems to be no resolution. I've run the Microsoft VBS script to add TAUG to the WAAG
  as suggested by 331951, and that made absolutely no difference.
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still
  "doesn't have access to AD DS," which is obviously untrue)
  The user is also a member of WAAG, the machines have delegated authority to each other. Is there any other solution?

• SQL Server Service Account - Domain Account - WMI Provider Error - 0x80092004

  Hi,
  if I try to use an domain account for SQL service start using SQL configuration Manager I receive the error
  WMI Provider Error - 0x80092004
  in Popup Window and in Eventlog 5 Error Events from Source MSSQLSERVER:
  26014:
  Unable to load user-specified certificate [Cert Hash(sha1) "BA78B5DBF93CCD7EFA1860C99B0D6141D480199A"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for
  Use by SSL" in Books Online.
  17182:
  TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property. "
  17182:
  TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
  17826:
  Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
  17120:
  SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
  After I put the account in local administrator group the service starts up.
  I want to use the lowest privileges. Do I really need the SQL server service account in local administrator group? How to fix the error?
  thanks

  Hi baschuel,
  It is recommended to run SQL Server service by using the lowest possible user rights and it is supported to use a domain account instead of an account from local Administrators group to configure SQL Server service. According to your error messages, the
  issue could be due to that the incorrect certificate is used, or the domain account has no access to the Crypto folder(C:\ProgramData\Microsoft\Crypto). To troubleshoot the issue, you could follow the two solutions below.
  1.Import the correct certificate following the steps in the article:
  http://windows.microsoft.com/en-hk/windows/import-export-certificates-private-keys#1TC=windows-7
  2.Grant the domain account full access to the Crypto folder.
  Regards,
  Michelle Li
  If you have any feedback on our support, please click
  here.

• Network Service account and Exchange 2013 services

  I installed Exchange 2013 CU8 on two 2012 R2 machines, but the services that run under Network Service for Exchange won't start. If I put Network Service in the local admin group, the services start. Prior to putting it in the admin group, I gave it full
  permission on all Exchange folders, but that didn't help...thanks.

  Hi,
  Please run “setup.com /preparedomain” and see if the permission are set to default and the issue persists.
  Please add Read permission for NT AUTHORITY\Network Service to all Exchange servers in ADSIEdit to have a try:
  Expand CN=Configuration,DC=domain,DC=.com > CN=Services > CN=Microsoft Exchange > CN=Domain > CN= Administrative Groups > CN=(Group name) > CN=Servers. Right-click all Exchange service, and add Read permission for NT AUTHORITY\Network Service
  account.
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• SQL Server services accounts using Managed Service Accounts

  Hi guys,
  Need your feedback on something, is it wiser to use Managed Service Accounts or normal domain accounts to run SQL Server services? MSA's only work in a single computer, so for every environment I would need to create a new set of sql services accounts.
  If I create a single account wouldn't it be simpler? For instance domain\sqlservices and set it on every service and every environment (dev, qa and production)

  Hi
  It is a good question but the answer is not black or white. The answer is depend like most configuration questions.
  I recommend you to use
  Google to find blogs about the issue.
  You can start from this links, which are great starting point for you question:
  Best Practices For Using SQL Server Service Accounts
  Book Online
    Ronen Ariely
   [Personal Site]    [Blog]    [Facebook]

• Does changing the SQL Server Service Account impact FILESTREAM data?

  I have a stand-alone SQL Server 2008 instance that I need to change the SQL Server service account from LocalSystem to a domain account.  However, I was wondering if there was any impact on FILESTREAM enabled databases that are hosted on the SQL Server? 
  Specifically, has anyone ever changed the SQL Server service account when using FILESTREAM ...
  Sincerely,
  Sean Fitzgerald

  I have a stand-alone SQL Server 2008 instance that I need to change the SQL Server service account from LocalSystem to a domain account.  However, I was wondering if there was any impact on FILESTREAM enabled databases that are hosted on the SQL Server? 
  Specifically, has anyone ever changed the SQL Server service account when using FILESTREAM ...
  Sincerely,
  Sean Fitzgerald
  BOL says : Only the account under which the SQL Server service account runs is granted NTFS permissions to the FILESTREAM container.So,  if you start SQL Server under different account , that account wil have access to use fliestream data (read / write)
  At the database level ,If a user has permission to the FILESTREAM column in a table, the user can open the associated files..
  Abhay Chaudhary OCP 9i, MCTS/MCITP (SQL Server 2005, 2008, 2005 BI) ms-abhay.blogspot.com/

• How to get rights for customization of the SRM

  Dear All,
  I am trying to make some customization on the SRM system (HU5 SAP SRM 7.0) available on ESWORKPLACE.
  Unfortunately I have no rights for changes, only for displaying SPRO settings.
  For example I am not able to make any changes under the "Define Process Levels" for Business Process Configuration (Workflow.)
  I am getting follwing message:
  "only authorizes you to display data.   Display locked data? "
  The exact path to the customizing is following:
  SAP Supplier Relationship Management->
  SRM Server->
  Cross-Application Basic Settings->
  Business Workflow->
  Process-Controlled Workflow->
  Business Process Configuration->
  Define Process Levels.
  Can you please advice, how can I get required rights for customizing SRM system ?
  Thank you very much,
  Regards,
  Michal

  Hi,
  You can't change anything on HU5 system, this system is from SAP for Enterprise Service demo/exploration. You can only view data, can't change/customize it.
  To do any change use your local IDES/development system.
  Regards,
  Gourav

• Safari and Chrome will not display some pages right for new user account

  Not sure this is a Safari issue actually. Behavior is also in Chrome, but not Firefox. If I need to post elsewhere please advise.
  24"imac running 10.5.8. 2gb ram, software update run,
  Setup a new user account. Machine will have 2 users.
  When I login as the new user, in both Safari and Chrome, some pages - google, ebay, amazon, cnn, yahoo, do not display correctly. Mainly empty space, a few graphics all wrong. They do display correctly in Firefox.
  I assumed it was the user. So I added a 3rd user. Same behavior. Tried giving the new user admin rights. Same problem.
  For the admin account, everything's fine on those pages, both in Safari and Chrome.
  It feels like the new user is not getting access to something it needs, but it also feels like more than a font problem. Thanks for any suggestions. Dan

  Thanks for your thoughts. Here's what I've learned. The browsers display correctly for the new user after SafeBoot. I removed all startup items, to no avail. Removed all fonts from the new user account, nothing. Removed all fonts from the admin user's library, nothing. Then I removed all fonts from the HD library, and that fixed it for the new user. Now I just have to figure out which one it was.
  So in summary, a bad font in the HD library was affecting Safari and Chrome (but not Firefox) in new user accounts, but not in the admin user's account. Nice. D

• SQL server service accounts question

  We created a test SQL environment using a Technet evaluation copy of Windows Server 2012 along with an evaluation copy of SQL2012. After testing, everything is working as planned so were going to enter the product keys for both Windows Server and SQL 2012.
  My question is that once we have our Server licensed we’re going to start a new domain and recreate all the user accounts but I installed SQL using a local user account I created called ”sqladmin”. Once Server 2012 is the DC in the new domain will I need to
  change all the service accounts for SQL in order for it to function or can I still use the local “sqladmin” user account? If I can re-use that local account are there any downside to that? What’s the best practice in this scenario

   Once Server 2012 is the DC in the new domain will I need to change all the service accounts for SQL in order for it to function or can I still use the local “sqladmin” user account? If I can re-use that local account are there any downside to that?
  What’s the best practice in this scenario
  Hi,
  You can use your sqladmin account but that wont be a good security practice. You should always follow principal of least privilege and should run SQL server with domain account having least privilege.Below link will help you in this
  Configure SQL server account and services
  Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers
  My TechNet Wiki Articles

• Help: New owner of my iPhone getting prompted for my iTunes account.

  My wife is now using my old computer and iPhone 3g.
  1. In iTunes on the PC, she is logged in.
  2. iTunes says she has one app to upgrade.
  3. Clicking upgrade, iTunes then shows her account name and says there are no apps to upgrade.
  4. Go back to iTunes home page and it says she has one app to upgrade.
  5. My account is actually the account with 1 app to upgrade.
  1. On the iPhone, under settings she is listed as the current account.
  2. Try to buy an app from the app store and she gets prompted for my App store account.
  Has anyone seen this before? I'm at a loss as to how the two accounts are intermingled like this. Everywhere I look she is listed as the active account. But as soon as an upgrade or purchase is attempted it goes back to my account.
  Thank you in advance,
  Gary

  You can do this on your iPad or iPhone - please see Find My iPhone Activation Lock: Removing a device from a previous owner’s account - Apple Support (which is written from the point of view of the new owner).

• Is it possible to have different service pack between Exchange servers.

  Is it possible to have CAS Exchange 2007 running service Pack 1 and Mailbox server 2007 running SP2? In my env I need to have SP1 running on CAS server for some applications but also need to install SP2 for migration. Application cannot be upgraded so
  I am thinking to keep one CAS running SP1 and upgrade other Exchange 2007 servers to SP2. Please suggest.

  Hi,
  It is recommended to have the same service pack level on all Exchange 2007 servers, different service pack level may have potential effects.
  Here is a related thread for your reference.
  Exchange servers with different Service pack levels
  http://social.technet.microsoft.com/Forums/en-US/88e22daf-7ccb-49c3-97d8-f339336476da/exchange-servers-with-different-service-pack-levels?forum=exchangesvrdeploylegacy
  Hope this helps.
  Best regards,
  Belinda Ma
  TechNet Community Support

• OSX Server for Directory Services and an Exchange Server

  I am about to purchase an Xserve. I only want to use this for authentication purposes (OpenLDAP, Kerberos, whatever).
  We are getting rid of Windows Small Business server, but want to keep using Exchange for our email (we will build a new server with Exchange, I am not going to try to keep Small Business).
  My network is half OSX clients, half Windows XP clients.
  My question is this:
  Is it possible to have all of my users in my Xserve and have Exchange get username/password information from an OSX server (our Xserver will be our primary controller)?
  Thanks,
  aaron
    Mac OS X (10.4.9)  

  Have you gotten anymore information regarding "MS Exchange Server"... A good portion of my office are on Macs, but they all use entourage, and I refuse.. and using webmail is a pain in the butt,
  have you found anyway to send mail externally from the network?

• Export mac os x server mail accounts to exchange server

  Hi !
  I have a customer with a G5 xserve running 10.4.11 - it was set as the mail server.
  It had approx 40 windows users using IMAP accounts
  This has now been bypassed by new IT people coming in and installing an exchange server.
  I am now being asked if we can export all the mail for all the users in a format that can be used and imported into Exchange
  Has anyone done or attempted this - Are there any tools to facilitate this?
  TIA

  Or see the [Microsoft Online Services Migration Tools|http://technet.microsoft.com/en-us/library/cc742652.aspx] and related materials; Microsoft and most other vendors do usually implement mechanisms and documentation materials to allow easier imports into their various products, and I'd expect that a Microsoft Exchange administrator would have various options available. This in addition to open-source options such as imapsync or related. And I'd expect that available options would be documented over at Microsoft, too; either in the technet stuff or in the forums over there.