Admin permissions for SQL Diagnostic Manager

Does SQL diagnostic manager require full admin permissions all of the time, or is it for certain tasks. After upgrading it looks like admin permissions are needed for connecting to the management service. 

  • For the SQLDM Desktop Client (the .NET user interface), I do believe that it does need to be ran using the "Run as administrator" option. There are a few registry keys that it needs to be able to read and update as well as some config files in the installation directory. I also believe that if UAC was disabled, then you can probably get around having to run the application using the "Run as administrator" option. 

  • In my experience you only need to run as admin when you launch the console for the first time and it requests the connection setting to the SQLDM database. After that you are fine, but in most cases that may not even be necessary. Usually you can just avoid running as admin the first time and put in your settings and you will see the error but if you close out of the console and open it again you will not continue to see the error for whatever reason.

    Only one registry key should be modified to get around this issue that I am aware of if you are doing a mass deployment and do not want to deal with this issue on multiple machines. You just need to allow the specific user using the console "FullControl" to the registry key "HKLM:\Software\Idera\SQLdm" or in my case I just update the "BUILTIN\users" group ACL from read to Full Control so it does not matter what user is using the console.

    Here is a PowerShell script I made to automate the change:
    $acl = Get-Acl 'HKLM:\Software\Idera\SQLdm'
    $idRef = [System.Security.Principal.NTAccount]("BUILTIN\users")
    $regRights = [System.Security.AccessControl.RegistryRights]::FullControl
    $inhFlags = [System.Security.AccessControl.InheritanceFlags]::None
    $prFlags = [System.Security.AccessControl.PropagationFlags]::None
    $acType = [System.Security.AccessControl.AccessControlType]::Allow
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule ($idRef, $regRights, $inhFlags, $prFlags, $acType)
    $acl | Set-Acl -Path 'HKLM:\Software\Idera\SQLdm'

    Just run that after the install and it should get rid of that message the first time you run the console.