Provisioning Services: Service Account Permissions and Configuration for Accessing PVS SQL Database

Provisioning Services: Service Account Permissions and Configuration for Accessing PVS SQL Database

book

Article ID: CTX120080

calendar_today

Updated On:

Description

This article provides a description on how different service accounts should be configured to grant adequate SQL permissions.

Service Account Configuration for Accessing SQL

Service users are the accounts under which the Stream and Soap services run on a Provisioning Services (PVS) server which needs both SQL database permissions and file permissions to access the Virtual Disk. Because these users are communicating with the database, they must be members of the db_datareader and db_datawriter roles and have Execute permissions for the stored procedures. In PVS 6 and earlier the configuration wizard automatically configures the database in this manner if the Configure the database for the account option is enabled under the Service account page of configuration wizard. On PVS 7 and later the configuration wizard will always configure the database to have the correct permissions for the account.

  • Service logon accounts must be a domain member to retrieve the list of groups from Active Directory but do not require Domain Administrator privileges.

  • Service logon accounts should not be confused by users performing role based administrative tasks through the PVS Server console. Console users do not require any SQL credentials but they must be members of the appropriate Active Directory groups configured for the role-based administration. Generally, no domain administrative privileges are required. However, there is one exception and that is for the ability to add devices to the domain. In that case, the necessary privileges must be granted to the user running the console.

  • SQL permissions are totally separate from Active Directory permissions and must be managed accordingly.

Some other related notes:

  • Local administrative privileges are required to install PVS server and start its services.

  • A logged-on user, running the configuration wizard for the first time, must be a member of the following SQL Server Roles: dbcreator and securityadmin.

Setting SQL permissions through Configuration Wizard

Network service account

If the Stream and SOAP services are running under the Network Service account, the SQL permissions must be configured for each machine running PVS Server, because the Network Service account is built into the local machine account and does not have domain privileges. As mentioned previously, enabling Configure the database for this account sets the required SQL permission.
 
PVS 6PVS 7
User-added imageUser-added image

Specified user account

If the Stream and SOAP services are configured using a specified user account, the SQL permissions must be configured (check box) only once for each user and the first time the configuration wizard is run to initialize the database. The configuration wizard on PVS 7 will configure the database permissions automatically.
 
PVS 6PVS 7
User-added imageUser-added image

Local system account (only for PVS 6)

The local system account is for workgroup environments requiring SAN access and SQL Server is installed locally on the PVS Server. 

User-added image

This account has local administrative privileges and uses the administrator account created when SQL Server is installed.

Issue/Introduction

This article provides a description on how different Provisioning service accounts should be configured to grant adequate SQL permissions.

Additional Information

Requirements for Provisioning Services 7

Powered by Wolken Software