I have two Windows Server 2012 R2 servers in a workgroup, on the first one I have MS SQL Server, the other is used (among other things) as a storage for backups. On the database server both the SQL Server Database Engine and SQL Server Agent run with default virtual accounts - NT Service\MSSQLSERVER and NT Service\SQLSERVERAGENT.
Now, I want to use Ola Hallengren maintenance jobs to backup my MS SQL Server databases. These scripts are wrapped into a SQL Server Agent job but the backup is a t-sql procedure thus executed by the SQL Server Database Engine with NT Service\MSSQLSERVER.
I've created an account on the storage server and a shared folder with access permissions for this account. I'm able to connect the share on the database server with a net use command providing credentials for the created account. There's a catch: the share is connected for an account which runs the net use command.
If I connect the share with Local System account (which supposed to be for all users) then still NT Service\MSSQLSERVER cannot access it, neither any other account can. Seems like the hack previously proposed on stackoverflow is fixed in Windows Server 2012 R2.
And if I run the net use command as a step in SQL Server Agent job, then it is done with the other virtual account - NT Service\SQLSERVERAGENT - and the backup step fails with "folder not found" error.
So I would like to know a way to create a Windows service account with all the necessary permissions for the SQL Server Database Engine service to be used in a workgroup environment. Or an explanation why it cannot be done. Ideally it should be a script - Powershell or VBScript.
I tried to run both SQL Server Dabase Engine and SQL Server Agent as Local System and the backup worked like a charm. But I would not consider this as a solution because it's not recommended from a security perspective.
Also I would not consider a solution to run the net use command with xp_cmdshell due to the same security reasons.