Support

Granting adTempus access to a remote database when running under the Local System account

Article ID: K00000397
Last Updated: March 22, 2012

Applies To

adTempus 3

Summary

This artcle describes how to grant adTempus access to a remote SQL Server database when adTempus is running under the Local System account.

Background

The adTempus service by default runs under the Local System account, and this is the preferred account for the service.

However, the Local System account by default cannot connect to a database hosted on a different computer. In such a configuration, the adTempus database configuration documentation recommends that you either change your database and adTempus to use explicit SQL Server authentication, or reconfigure the adTempus service to run under a user account that has the necessary database permissions (see article K00000215).

However, both of these approaches have drawbacks:

Many administrators prefer to avoid enabling explicit SQL Server authentication on the database server.
Running adTempus under a user account requires extra steps to enable account rights for the user account.

A third approach is to add access to SQL Server for the Local System account on the adTempus computer, as described in the following section.

Configuring SQL Server

Note: This procedure is only necessary if adTempus is running on a different computer than SQL Server. If they are on the same computer, no further configuration is needed.

To grant adTempus access to a remote SQL Server, you must add a machine login to SQL Server. To do so, connect to SQL Server using SQL Server Management Studio or another management tool.

In the database script below, make the following replacements:

Change "domain" to the name of your domain.
Change "computername" to the name of the computer where the adTempus service is running. Be sure to leave the "$" after the name as shown below.
Change "databasename" to the name of the adTempus database.

CREATE LOGIN [domain\computername$] FROM WINDOWS with DEFAULT_DATABASE=[databasename]
go

use [databasename]
go

EXEC sp_grantdbaccess N'domain\computername$', N'domain\computername$'
go

exec sp_addrolemember N'db_accessadmin', N'domain\computername$'
GO

exec sp_addrolemember N'db_backupoperator', N'domain\computername$'
GO

exec sp_addrolemember N'db_datareader', N'domain\computername$'
GO

exec sp_addrolemember N'db_datawriter', N'domain\computername$'
GO

exec sp_addrolemember N'db_ddladmin', N'domain\computername$'
GO

exec sp_addrolemember N'db_owner', N'domain\computername$'
GO

exec sp_addrolemember N'db_securityadmin', N'domain\computername$'
GO

Run the modified script and make sure that all statements succeeded.

adTempus should now be able to connect to the database while running under the Local System account.

Other Versions

This article applies only to the version(s) of the software shown above under Applies To. Other versions of the article are available:

adTempus 4, adTempus 5