Our scenario is that we have a department full of database administrators who require limited access to our db servers ranging from sql 2000 to 2008 on windows 2000, 2003 and 2008 (about 60 or so). We need to allow these dbas access to restart the sql services without the ability to have administator rights on the servers. We have assigned them sysadmin rights for enterprise manager so they have full access to sql related tasks and currently they have administrator rights to the servers just to accommodate mmc access to restart services (or through enterprise manager / management studio) but we have restricted rdc access. This still poses a large security risk since anyone who has knowledge of unc to hidden shares can still manipulate the file system as well as using psexec or a number of other remote admin tools. We have created various shares on the servers to allow them access to and to manipluate only the sql related information, such as databases, logs, a backup directory, a replication directory, etc. The issue I discovered is this. If the dbas do not have admin rights on the servers then they do not have access to use the services mmc snap-in to access remote servers. I have used group policy to assign them access only to the services they need and they can stop and restart sql services without admin rights but they must use sc or netsvc commands in order to do so. They dont like this and want mmc access or at the least the ability to restart through enterprise manager (since we have prevented them rdc access, I think thats fair). So what I need to understand is how to allow them access to an mmc snap-in (services specifically) or to shutdown/restart from within enteprise manager without making them a member of the local administrators groups. From everything I have read this dosent seem possible, but I cannot believe Microsoft would not have a solution to this. You can not tell me that Microsoft expects a database administrator to have full control over a server in order to manage SQL. Im sure I just havent found the right solution. Hoping for some advice and suggestions here. Thanks guys

Hi, As this issue is mainly related to SQL server, I suggest discussing it in our SQL server forum. They are the best resource to help you on this issue. http://social.technet.microsoft.com/forums/en-US/category/sqlserver/ I hope your issue can be resolved soon. Tim Quan - MSFT

I was told by an msft moderator on the sql forums to post here since the issue was in securing WINDOWS for SQL administration. Please stop bouncing me around.