I'm attempting to implement Policy Based Management on a SQL Server 2012 instance also acting as a Central Management Server using the Enterprise Policy Management Framework. The job running the Powershell script has a login on all servers allowing it to connect and view all databases. It also has all related msdb roles on the CMS. However, the policy only executes against a database if its guest user is enabled. Instances with no databases with an enabled guest just return "No Target Found".
Am I missing something obvious, or do I have to give the agent account a user on every database on every instance?
Best Answer
I've spent most of today bashing my head against this, and didn't come up with anything. I tried:
In the end, nothing worked. I believe this is possible on SQL Server 2014, which has a "CONNECT ALL DATABASES" server-level permission, but 2012 has no equivalent that isn't also a much larger security risk than I'm willing to accept.
I decided to bite the bullet and add the account as a user on every database. Here's what I did:
Executing this script against the CMS added the user to every database on every instance except for master, msdb, and tempdb. I left model in so that when we create databases in the future, they'll already have the user added.
If anyone has a better way that doesn't involve mapping to every database, feel free to share, but at this point I'm not convinced it can be done (short of making the account sysadmin, which I doubt would make it into production).