3

Trying to find an answer to this. A vendor I work with, Red Gate, wrote in their documentation:

SQL Clone Agent requirements

An agent should be installed on the same machine as any SQL Server you wish SQL Clone to use as a source of images, destination for clones, or temporary scratch space for restoring backups.

Requires:

  • Minimum (limited to <1.8TB images): Windows Server 2008 R2 or Windows 7
  • Recommended (limited to <64TB images): At least Windows Server 2012 or Windows 8.1
  • SQL Server 2008 or later (Express edition is sufficient - though Clones will not circumvent SQL Server Express' 10GB database size limit)
  • .NET Framework 4.6.1 or later (part of installation)
  • Outbound connection to remote (SQL Clone Server) port 14146 must be allowed

This requires a Windows user account which has:

  • Local admin privileges in order to use the Virtual Disk Service
  • Read/write access to network locations where images will be stored
John Zabroski
  • 185
  • 9
  • 1
    Have you tried procmon to see what it does and what gets denied? https://deployhappiness.com/fixing-applications-that-require-administrator-rights/ – John Mahowald Nov 29 '18 at 15:54
  • Good suggestion. I hit a dead end when I discovered SQL Clone Agent won't even allow the windows service to start if you forcibly change it to a non-admin account after the service is installed."Service cannot be started. System.InvalidOperationException: Must run with local administrative privileges" – John Zabroski Jan 08 '19 at 00:10

1 Answers1

1

Using VDS

An application that is using VDS must run under the Backup Operator or Administrators group account. Without the appropriate privilege, an application can create a service loader object, but the object will not load VDS. Instead, it returns an error indicating that access to VDS is denied.

So it appears that the application is interpreting the user it runs as, or the error returned, as not running as local admin.

You can try a user in the Backup Operator group. Which is still highly privileged but at least is not Administrators. If that does not work, complain to the vendor that they do not allow least privilege.

Looks like a use case for local admin. You can enforce domain users having local admin with Group Policy.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • Thanks, I will relay that to Red Gate. Backup Operator is less likely to raise an external audit flag, so that is way better in my eyes. – John Zabroski Jan 08 '19 at 23:43