Least Privilege for SQL Agent to run DISKPART

Posted on

Question :

The DISKPART script


runs fine as long as SQL Agent has admin rights on the server; otherwise the script fails with this message:

Microsoft DiskPart version 6.3.9600

Copyright (C) 1999-2013 Microsoft Corporation.
On computer: FOO

DiskPart has encountered an error: Access is denied.
See the System Event Log for more information.

Initially working through this issue there were errors in the event viewer. However, now that I have used dcomcnfg.exe to give Full configuration, Local Access, Local Launch and Local Activation rights for the SQL Agent account to Virtual Disk Service, there are no messages showing in the system log — just the above message in the SQL Agent job history. I’m looking for the master tome of Windows configuration but there does not seem to be one. Do I need to set up auditing or traces to see what privileges are being requested?

Answer :

You are getting deep into internals here

Membership in the local Administrators group, or equivalent, is the
minimum required to run DiskPart

And this SE thread points to the same.

Now usually you want to avoid giving to much permission to the service accounts and I’m not certain if giving the SQL Server agent permissions to mount/unmount volumes and at the same time delete them would be considered best practices.

You can probably program a system service that can do the diskpart magic and call that but this really ask the question why you would want to to this from SQL Server.

Leave a Reply

Your email address will not be published. Required fields are marked *