Trimming monitor service account permissions...

encor

Hello,
I've just begun evaluating SQL Monitor 4 and found out, that - according to the product documentation - the service account requires administrator permissions on the monitored Windows machines. This is something I'd really like to avoid - I don't grant administrator permissions to service accounts unless I REALLY, REALLY have no other option - because of obvious security reasons.
So guys - as I don't really believe that being an administrator is a must for the SQL Monitor service account to operate properly :mrgreen: would you please tell me, what is the base set of the OS-level permissions that I have to grant to the account? I want to monitor both stand-alone SQL Server machines as well as clustered ones.
Regards
Artur

chriskelly

Thank you for your post.

There are a number of things that SQL Monitor uses to monitor entities that require admin rights. For example to remotely query WMI and to access the Performance Counter Library (PerfMon) it is necessary for the monitoring user account to have administrator rights. I realise that this is less than ideal, but unfortunately there is not much we can do about it whilst still allowing SQL Monitor to provide useful information.

rcinator

This is blatantly false information. Both WMI and Performance counters can be used without administrator permissions just by adjusting Group Policy or Local Security Policy settings. Administrator accounts are almost never needed to access this type of information if you configure things correctly.

Here is the information for how to do so for WMI: http://technet.microsoft.com/en-us/libr ... 71551.aspx

Here is the information for Performance Counters: http://technet.microsoft.com/en-us/libr ... 49115.aspx