SQL Server Performance

ACL on DB Files ?

Discussion in 'SQL Server 2008 General DBA Questions' started by acki4711, Aug 25, 2010.

  1. acki4711 Member

    Hi all,
    On the directories where the Data- (F:.....Data) and the Logfiles (G:....Log) are stored we set up our own access rights (with downward inheritance).
    If I create a new Textfile in these directories all is as it should be (ACL is inherited from directory above).
    If I create a new db in sql 2008 (default path for Data- and Logfiles pointing to F:... + G:... as mentioned above) the db files are created in the correct directories but the ACL of the files is always owner rights= full control, sqlservermssqluser$hostname$mssqlserver=full control, administrators=full control.
    Is there a way to avoid the setting of this "default ACL behaivour" for the Data- + Logfile and take access rights from directory instead ?
    Any help is highly appreciated !
    TIA
    acki4711
    acki4711, Aug 25, 2010
    #2

  2. satya Moderator

    What is the operating system version used here?
    satya, Aug 26, 2010
    #3

  3. acki4711 Member

    Windows 2008 Server Enterprise x64 sp2
    SQL Server 2008 Enterprise x64 SP1 (10.0.2531.0)
    acki4711, Aug 26, 2010
    #4

  4. satya Moderator

    Ok, Windows 2008 has new forms of ACL handling, that involve
    fundamental changes to the way permissions work, so it’s important to understand the impact on security. An ACL is the roll of permissions—such as Administrators - Full Control, Users – Read—assigned to a registry key, NTFS folder, or similar object. Each entry in an ACL, such as Users – Read, is known as an Access Control Entry (ACE).

    In this case I would like to know that how many times in a day your new databases are created?

    satya, Aug 26, 2010
    #5

  5. acki4711 Member

    Satya,
    Not every day, ~ once e week we set up new db's
    acki4711, Aug 26, 2010
    #6

  6. satya Moderator

    I did a bit research on what you have asked, the behaviour is quite natural that your SQL Server service account has ADMIN privleges (on the server) which in turn inheriting such permisssions on files when they are created.
    so probably you may have a script to change the ACL s on newly created files using Windows schduler once a day.
    HTH
    satya, Aug 27, 2010
    #7

Share This Page