Configuring service rights

Prev Page Next Page
Recovery models
Main backup types
Backing up the database files by copying
The transaction log
Transaction log restore sequence
Log sequence numbers
Truncating and shrinking the transaction log
Backing up the tail
Inside the transaction log
So, what's in a backup file?
Test: A full backup does not contain deleted data
Verifying backup files
Verifying backup files on a budget
Cumulative backups
Recovering individual tables
Backup and restore history details
Backup reads and writes
Speeding up backups
Backup speed details
Speeding up restores
Restore state affects speed too
Backup and restore rights
Log shipping
Log shipping in SQL Server 2000
Setting up log shipping using Enterprise Manager
Checking the set up
Log shipping in SQL Server 2005
Setting up log shipping using Management Studio
Checking the set up
Log shipping status report
Log shipping in SQL Backup
Using the CopyTool utility
3rd party backup applications
VDI versions
VDI errors
SQL Backup - beyond compression
Restoring a chain of transaction log backups
Restoring to the latest possible state
Backing up multiple databases
Backup retention
Making a copy of the backup file
Backup file naming conventions
Restoring the latest backup set
Network resilience
Integrated database verification
Database file relocation
Improved backup retention
High-availability group support
Common SQL Backup issues
Installation checklist
Setting up rights
Configuring service rights
Backup data
Hanging issues
Common backup and restore errors
Error 3201 - when performing a backup to a network share
Full database backup file is larger than database size
Error 3205 - Too many backup devices specified for backup or restore
Error 4305 - an earlier transaction log backup is required
Bringing a database that is in recovery or read-only mode online
Using bulk-logged recovery model but transaction log backup is still large
Error 14274 - unable to delete SQL Server Agent job
Error messages when restoring from different versions of SQL Server.
vdi error codes
Restore speed details
Help, my transaction log file is huge!
Mirror or log ship

When you encounter error 1000 in SQL Backup, this could be because the SQL Backup Agent service startup account does not have rights to query the SQL Server instance's service configuration.

VDI error 1000: Failed to create virtual device.  Check that the SQL Server instance you are trying to connect to is running. Error code: (-2139684857: Failed to recognize the SQL Server instance name.)


You can confirm if this is the cause of error 1000 by turning on auditing for failed object accesses.  If the error is indeed due to denied access to the service's configuration, it will be logged in the Windows event log.


The service's security configuration is determined by the Discretionary Access Control List (DACL) for that service.  You can view the DACL configuration for the service by running the following:


assuming the SQL Server instance's service name is MSSQLSERVER.  You will need to change this if you are querying the DACL configuration for a named instance.


Admittedly, this isn't exactly easy to understand.  The following links provide suggestions on how to view and modify the security settings for system services in an easier manner.

·http://support.microsoft.com/kb/288129 for Windows 2000.

·http://support.microsoft.com/kb/325349/en-us for Windows Server 2003.

You can also download DACLReader, a free utility from Yohz Software, that also presents the information in a more readable manner, though only for SQL Server related services.


The only right that you need to grant to the SQL Backup Agent service startup account is the Query Configuration right, which is denoted by the code CC.  Assuming you want to grant this right to only the specific account, here is one approach you can take.

Identify the Security Identifier for that account, using DACL Reader.


Prepare the DACL values in DACL Reader.  The entry needs to start with A, followed by two semi-colons, then followed by the code CC, followed by another 3 semi-colons, then finally by the SID of the account.


Next, open a command prompt window, and use sc sdset to update the DACL values.


If everything goes well, sc should return a successful message.


Finally, you can use DACL Reader to check if the right has been assigned.


Document history
12/20/2008    Added links to Microsoft Support documents.    
12/8/2008    Initial release.    
Copyright 2008 - 2021 Yohz Ventures Sdn Bhd. All rights reserved.
All product and company names are trademarks or registered trademarks of their respective owners.