Tomsyr wrote:We needed to move service accounts with DA rights into a special group that now has deny 'interactive logins', so now we get unable to truncate SQL server transaction logs, etc... 'Win32 error:Logon failure: the user has not been granted the requested logon type at this computer.'.
Due to passwords expiring, we need to have service accounts NOT expire, and since service accounts have 'known' passwords, we need to prevent interactive logins.
I'm not sure if there's any way to prevent requiring "known passwords", but certainly the account does not need to be a Domain Admin. To perform VSS freeze the account used for AAIP needs to be a Local Admin, and to truncate logs the account must have db_backupoperator role on any databases in FULL or Bulk recovery mode, or you can assign SQL sysadmin rights to the account to allow it to truncate logs on any database.