Skip to main content

Hi, 

The service account for AppAware SQL backup is required to be Local Admin in the Database Server as well as have the sysadmin role in SQL. 

To me it is not clear if the requirement for Local Admin is to be permanent and for other operations than just the initial software/agent installation. 

For one customer the service account was automatically removed from Local Admin whitin 24hrs, and the backups still runs fine.  I would suppose that once the agent is registered additional software and updates are pushed by Commvault through the local system as for all clients. 

Reason for asking is that the customer needs to request that service accounts for AppAware are added in the automatic AD-admin configuration, and they would want to know for which purpose. 

To summarise, is the local admin needed for anything else but the initial software installation in the AppAware feature for SQL?  

Regards,

Patrik

@Patrik , let me see if I can find out exactly what it is used for.  My concern, like yours, is that it might be used for something additional, but hasn’t happened yet.

@Patrik 

Yes, it is possible that backup will work if the account permissions have been reduced. However local admin rights allow for other functions like instance discovery (services queries, etc). Some of these functions run in the background.

It is recommended and stated that the account should be local admin and sysadmin role for SQL permissions.

https://documentation.commvault.com/2022e/expert/18202_user_account_configuration_for_sql_server_agent.html

Thanks guys for clarifying. Sometimes the documentation could be a bit more detailed when it comes to describing the requirements for high administrative accounts. Especially in these days when most customers try to restrict the use of these kind of privileges for service accounts. 

/Patrik

Reply


Terms & ConditionsCookie settings