Recently I had a few questions regarding what it means to have a SQL Run As account and what High and Low Privilege security means to me. So, In short, this is what SQL Security means to me in regards to SQL MP Discoveries\Monitoring\Tasks…

Here’s a link to the documentation:
For High Privilege environments:
· If BUILTIN\Administrators does not have local Sys Admin or local SQL instance permissions, you may run into issue with the SQL Discoveries\Monitoring\Tasks and the Scripts used (scripts such as blocking, user connections, etc).
· In the case where Local System is used as the SQL Engine Account, you should be OK with Discoveries running as the Default Action Account.
· In the case where SQL is Clustered, you may see the need to utilize the Windows Cluster Action Account ‘Run As’ profile for full discovery of Cluster resources. If the Default Action Account ‘Run As’ profile for cluster nodes is associated with Local System, or another account with Administrator permissions, then you should be OK without associating a separate Run As profile.
For Low Privilege environments:
· I add the Run As account or Action Account to:
o Local Performance Monitor Users Group
o Local EvenLogReaders Group
o Add Log On Locally permission
o Configure the SQL Instance for monitoring
§ Details and Permission required are stated in Low Privilege Environment monitoring in the MP Guide
Note from the MP Guide:
“By default, all discoveries, monitors, and tasks defined in the SQL Server management packs default to using the accounts defined in the “Default Action Account” Run As profile. If the default action account for a given system does not have the necessary permissions to discover or monitor the instance of SQL Server, then those systems can be bound to more specific credentials in the SQL Server Run As profiles, which do have access.”