For SQL Server 2012 and above, as What's New in SQL Server Installation states:
BUILTIN\administrators and Local System (NT AUTHORITY\SYSTEM) are not automatically provisioned in the sysadmin fixed server role.
In my case this has become a problem: I have a WiX installer which uses a Custom Action
C++ code to setup database data (create the database, views, procedures, data etc.). Custom Action
runs as user NT AUTHORITY\SYSTEM
, but this account does not have permission to execute CREATE DATABASE
scripts.
-
Is it correct to give
sysadmin
role toNT AUTHORITY\SYSTEM
while installing software? Or maybe there is a better solution? -
If it is correct, is it possible to find the proper user name for
NT AUTHORITY\SYSTEM
? I need this name in order to change permissions*. In different locales this name is different, for example,NT AUTHORITY\SYSTEM
orNT AUTHORITY\СИСТЕМА
.
Adding NT AUTHORITY\SYSTEM
to the sysadmin
role:
IF NOT EXISTS
(
SELECT name
FROM master.sys.server_principals
WHERE IS_SRVROLEMEMBER ('sysadmin', name) = 1
AND name LIKE 'NT AUTHORITY\SYSTEM'
)
EXEC master..sp_addsrvrolemember
@loginame = N'NT AUTHORITY\SYSTEM', @rolename = N'sysadmin'
Searching sys.server_principals
for name LIKE 'NT AUTHORITY\%'
will not work because sometimes there will be more than one NT AUTHORITY\...
user. I encountered a case like that on one of my virtual machines.
Best Answer
You can get the name of well-known security identifiers (SIDs) using a PowerShell script:
Personally I never had to do this from C/C++ code. See the MSDN article about the WINAPI or
System.Security
namespace for managed code.There is a compact example in the Stack Overflow Q & A WinAPI LookupAccountSid from an .evt file by Remy Lebeau:
Is there any problem placing
NT AUTHORITY\SYSTEM
in the SQL Serversysadmin
role when installing software from a reliable source? There should be no problem, I hope, but who knows...