Re: builtin/administrators

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Wayne Snyder (wayne.nospam.snyder_at_mariner-usa.com)
Date: 08/17/04 

Date: Tue, 17 Aug 2004 17:14:51 -0400

If you add ANY NT group and grant that group SQL Admin privileges then you
can NOT prevent the NT admins from coming in... All they have to do is add
themselves to the NT group;... 

-- 
Wayne Snyder, MCDBA, SQL Server MVP
Mariner, Charlotte, NC
www.mariner-usa.com
(Please respond only to the newsgroups.)
I support the Professional Association of SQL Server (PASS) and it's
community of SQL Server professionals.
www.sqlpass.org
"Russell Fields" <RussellFields@NoMailPlease.Com> wrote in message
news:Of5AOPGhEHA.1356@TK2MSFTNGP09.phx.gbl...
> flo,
>
> Here is an article (talking about clusters) that addresses some of your
> concerns.
> http://support.microsoft.com/default.aspx?scid=kb;en-us;263712
>
> One example of a side-effect that you must manage is:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;237604
>
> Also, from the BOL on: Setting up Windows Services Accounts
> If the startup account assigned to the MSSQLServer Service is not a member
> of the Local Administrators group, or if the BUILTIN\Administrators SQL
> Server login has been removed, you must add the startup account for the
> MSSQLServer service or the SQLServerAgent service, or both, to the SQL
> Server system administrators (sysadmin) role. Grant the [Domain\NTaccount]
> user a logon to SQL Server.
>
> Hope that helps you.
>
> Russell Fields
>
> "flologic" <flo@flo.net> wrote in message
> news:eReee6FhEHA.632@TK2MSFTNGP12.phx.gbl...
> > Hi, our sql box has too many people (including sql service account) with
> > local admin rights, some even have domain admin rights. I am trying to
> > tighten the security on those boxes and decrease the security level of
> those
> > people. What I am planning to do is take builtin/administrator login out
> of
> > the sql box, and add sql services account back and grant SA rights to
it.
> > Does anyone see any problem with this approach? Thanks.
> >
> >
>
>

Relevant Pages

  • Re: Registry
    ... If you use FTS you need to add a login for ... there's nothing stopping a domain admin adding ... Jasper Smith (SQL Server MVP) ...
    (microsoft.public.sqlserver.security)
  • RE: local admin account password
    ... Subject: local admin account password ... > 4) Only use domain accounts so delete the local ones. ... > The DB file would be encrypted with EFS so only the limited user SQL ... > backup user can make a zip backup of the DB whenever it gets changed ...
    (Focus-Microsoft)
  • RE: local admin account password
    ... Say you have more then 1000 systems, how do you handle the local admin ... Only use domain accounts so delete the local ones. ... The DB file would be encrypted with EFS so only the limited user SQL ... There would be basically two stored procs, ...
    (Focus-Microsoft)
  • Re: New install, login not accepted
    ... I tried to upgrade the site, which was running with MSDE, to SQL ... install SPS. ... I got through the install following the steps in the Admin. ... a admin account, that account needs admin rights to SQL and the local ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Linux...Is it REALLY FREE? How much is YOUR TIME WORTH?
    ... Any admin worth his ... MS SQL ... Sounds to me like you've not tried to manage MS SQL server. ... I've been an admin for Solaris, Windows NT 4, Windows 2000 server and ...
    (alt.os.linux.suse)