This project has moved and is read-only. For the latest updates, please go here.

Previous Setup No SSL v3 Manual Install Setup Group Rights Next

Setup Group Membership

FineBuild can set up the Group Membership needed on the server for SQL Server.

The SQL Server install process will create a number of Windows groups. These groups are all local groups, except when installed on a Domain Controller when the groups are domain level.

In the days of NT4 it used to be good practice to base server security around local groups. It was common practice to assign permissions to a local group, and then add domain groups and users to the local group so they inherited the permissions of the local group.

When GPOs were introduced with Windows 2000 they provided an alternative means to deploy server security. Although GPOs can easily incorporate well known name local groups, it is far harder to include arbitrarily named local groups of the type used by SQL Server. Well known name groups are those created as part of a Windows install. They are called well known because the security identifiers (SIDs) for these groups are the same on all Windows installations.

With Windows 2008 and above, the NT4 concept of using local groups no longer works. If a domain group or user requires file permissions on a server, then those permissions must be assigned direct to the domain object. Permissions related to services are linked to the SID for that service, not to the local group containing the service account. The local groups created by the SQL Server install process on Windows 2008 should therefore be considered as legacy objects.

FineBuild Group Membership Processing

Processing of Group Membership relates to Process Id 1EA in the FineBuild1Preparation script, and is always performed automatically.

Manual Setup Group Membership Processing

The following steps show what you would have to do to setup Group Membership manually. FineBuild does all of this work for you automatically.

The local server Group Membership below must be setup:
  • FineBuild will configure the group membership below, but any GPO configuration will take precedence
  • It is not required for any accounts to be added to the local Administrators group
  • These permissions should augment but not replace the site standard membership for these groups
  • Membership of the Users group will be restricted by the Setup No Windows Global Access processing

Local Server Group Name Group Membership
Distributed COM Users DBA Sysadmin Group
DBA Non-Admin Group
SQL Service Accounts
Performance Log Users DBA Sysadmin Group
DBA Non-Admin Group
SQL Service Accounts
Performance Monitor Users DBA Sysadmin Group
DBA Non-Admin Group
SQL Service Accounts
Remote Desktop Users DBA Sysadmin Group
DBA Non-Admin Group
(local) Administrators
Users DBA Sysadmin Group
DBA Non-Admin Group
SQL Service Accounts
All local Administrators users
Cluster Root account
R Services user names

Copyright FineBuild Team © 2014 - 2016. License and Acknowledgements
Previous Setup No SSL v3 Top Setup Group Rights Next

Last edited Nov 11, 2016 at 12:50 PM by EdVassie, version 4