SQL Sentry Performance Analysis Security Requirements
Overview
The SQL Sentry Performance Analysis feature collects various performance and configuration data directly from Windows and requires a higher level of access to the operating system than other features. The easiest approach is to either make the SQL Sentry monitoring service account a domain administrator level account or a member of the local administrators group on any watched targets.
In some scenarios it may be possible to use a non-administrator service account, although this isn't an officially supported approach. Complete the following steps to use a non-administrator service account:
- Enable DCOM on the SQL Sentry server machine, the SQL Sentry client machine, and the server to be watched. For more information, see the Securing a Remote WMI Connection article.
- Give the SQL Sentry monitoring service account proper permissions to the required WMI namespaces by going to the properties for WMI Control under Services and Applications in the Computer Management client. On the Security tab, ensure that the SQL Sentry monitoring service account has at least Enable Account and Remote Enable checked for the CIMV2 and WMI nodes.
Additional Information:
- For more information about SQL Sentry requirements, see the How to check SentryOne requirements article from Sabin.io.
- To learn more about enabling a Windows Management Instrumentation (WMI) rule in Windows Firewall, see this answer to the WMI The RPC server is unavailable. (Exception from HRESULT: 0x800706BA) question on Stack Overflow.
Example
SERVER-A is the exact same make and model as SERVER-B, and both servers are on the same domain. The SQL Sentry monitoring service user account is a domain user, but doesn't have administrator privileges on either server. Performance Analysis can successfully watch SERVER-A, but is unable to watch SERVER-B. The two servers are configured identically, with one exception; an additional network adapter from Acme Networking was installed in SERVER-B.
Acme Networking didn't design the associated WMI provider to support non-administrative access; therefore, Performance Analysis isn't able to successfully watch SERVER-B as a non-administrator. The only options are to either replace the network adapter with one that's known to support non-administrative access, or to contact Acme Networking to see if they have an updated version of the provider that supports non-administrative access.