No announcement yet.

Service Account

  • Filter
  • Time
  • Show
Clear All
new posts

  • Service Account

    I have a service account which is used to launch SQL Server and SQL Server Agent on several different machines. Recently we have begun to suspect that someone might be logging into a server with this account. While we can lock down that account to not be able to login to an actual console, we would like to be able to tell if the account has been used in this way. Is there a reporting tool that differentiates between actual logins and times when the service account is launching SQL Server or the agent service?

  • #2
    Re: Service Account

    if you have the correct auditing setup, you should be able to see this in the security logs.

    you'd have to filter it of course..

    The other option is to just change the password to something super-secure.
    Please do show your appreciation to those who assist you by leaving Rep Point


    • #3
      Re: Service Account

      Look in your DC security logs for login entries. Interactive logins where someone is pounding keys is a different type of login than a service activating (I think interactive is type 3, network activity is 7, can't recall for sure).

      Have a look thru for login types, then filter your DC security logs, since that's where the login type is recorded (assuming you have the necessary logging turned on, as tehcamel pointed out). Once you know date/time of interactive logins, you can start looking more deeply for other clues as to who the culprit is.
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **