Installing SQL Server 2008 Services in a High-Security Domain


If you need to install the SQL Server 2008 Database Engine (SS08) or the SQL Server Reporting Services (SSRS) in a domain where some of the administrative privileges of the local administrator account have been removed, you may want to check 3 particular permissions, listed just below. Unfortunately, these permissions don't get checked by the RTM (release-to-manufacturing) version of the install checks. Interestingly, as a local admin, I was able to add the 3 missing privileges to my own account, log out and log back in, and then successfully complete a reinstall.

Speaking of which, if you've already tried to install the database engine or Reporting Services and they failed, you need to go into the Control Panel's Add/Remove Programs, find and click on "Microsoft SQL Server 2008" and then click on the Change/Remove button, and click your way through until you can choose the features to remove. You can remove only the features that you have error messages for. For instance, if the SQL Server 2008 Database Engine was already installed and working fine, but a subsequent install of Reporting Services failed, you don't have to remove the Datbase Engine, even though you launch its removal tool in order to remove the botched SSRS. If you're wondering if you have to reboot after removing SSRS, I tried a reinstall without rebooting and it worked fine, once my local admin account had the right permissions. However, when the install of the database engine failed, I had to remove SS08 before I could reinstall.

Also, if you're installing while the account you're logged in with doesn't have the following privileges, you can see failures for the Database Engine Services, SQL Server Replication, Full-Text Search, and Reporting Services. I'm posting this here to try to make this info easier to find, because I had a little trouble finding it due to not knowing the best terms to search for. (Well, at least I'll know where to find this from now on...)

Local Policy Object Display Name

User Right

Backup files and directories

SeBackupPrivilege

Debug Programs

SeDebugPrivilege

Manage auditing and security log

SeSecurityPrivilege

(Chart snipped from http://support.microsoft.com/kb/2000257, which includes how to drill into the Group Policy Editor, in case you're not familiar with that.)

You can see how the User Rights' Group Policy Name maps to its Constant Name here: http://technet.microsoft.com/en-us/library/dd349804(WS.10).aspx.

By the way, an easy way to check privileges is with Mark Russinovich's AccessChk program, which you can find here: http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx.

SE phrases: SS08, SSRS, RS08, SQL Server Reporting Services 2008, SQL Server 2008 Reporting Services, Configuration action failed for feature SQL_Engine_Core_Inst during timing ConfigRC and scenario ConfigRC., Access is denied, 0x5D9A8C61, Error result -2068643839, 17058, Event ID 7024, SqlEngineDBStartConfiguration_install_configrc_CPU32, LinkID 20476, Message Source Setup.rll, Evt Type 0x0CE75128%400x5D9A8C61.

Comments (2)
  1. Anonymous says:

    Mr Lambert,

    I owe you at least a beer or my first-born child for this fix.

    Best,

    Vince

  2. How about doing it without these privileges says:

    We were able to install thr RTM of the client tools and SSIS without these privileges.  But now we need to install SP3 and it will not even start with the "manage auditing and security log" which we can not set or get.  So how we can install "SQL Server 2008 Services in a High-Security Domain"?

Comments are closed.

Skip to main content