Re: Should I delete the NT/Admin's group in SQL Server 2k

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Mark Allison (mark_at_allisonmitchellyourpants.c0m)
Date: 02/18/04 

Date: Wed, 18 Feb 2004 21:24:34 -0000

If you are using Full-text search, don't delete the BUILTIN\Administrators
login. Just remove it from the sysadmin role. (Right-click the login, select
properties, then untick sysadmin).

What you should do is create a database role in each database, and grant
that role permissions that you want your developers to have. Then add the
logins you want to the database role. This way, if the developers'
requirements change, you only have to change the permissions on the database
role, and not on all their logins.

The other route you could take is put all the developers in one NT Group,
and grant the group. Even if going down this route, I like to use database
roles as an abstraction. 

-- 
Mark Allison
SQL Server MVP
http://www.allisonmitchell.com
"Bruce Martin" <anonymous@discussions.microsoft.com> wrote in message
news:1289b01c3f61c$9dc3d500$a501280a@phx.gbl...
> I'm making my way through various books, white papers
> etc, but I'm under the gun here so I'll ask here. We just
> installed SQL2K, and I was elected DBA and head of
> security. We are moving a bunch of internal applications
> from Access to SQL2K. Everyone here is running either
> Win2K or XP-PRO and are by default members of the
> NT/ADMIN's group. The default SQL2K setup allows them to
> log on with SA rights. I need them to be able to log on,
> and do anything they want in PUBS, NORTHWIND, and
> dca_conplan (new database) but not get to anything else.
> So should I delete the NT/ADMIN group, and create a new
> SQK2K group and assign the developers to that?
>
> TIA
>
> Bruce
>
> And I will continue to RTFM.

Relevant Pages

  • Re: Access 2007 and ADP to SQL Server 2005 in Vista
    ... If you try to connect to the server as "SA" or a different login with ... sysadmin role as Sylvain mentioned, ... If you create a new database other than connect to a existing database, ...
    (microsoft.public.access.adp.sqlserver)
  • Re: PDO: Switch database user without reopening connection
    ... At the bare minimum there will be a login user who only has ... modifications to the database as well (editors get update permission, ... As database connections are expensive to ... a certain visitor in the Session, and use that value to start the right ...
    (comp.lang.php)
  • Re: PDO: Switch database user without reopening connection
    ... At the bare minimum there will be a login user who only has ... the postgres user they are logged in as to one that can make ... modifications to the database as well (editors get update permission, ... As database connections are expensive to ...
    (comp.lang.php)
  • RE: How to allow users to change their password?
    ... be set up to provide the Security dialog window for password changes. ... I'll have to login using their login ... > name/password first. ... See http://www.QBuilt.com for all your database needs. ...
    (microsoft.public.access.security)
  • Re: Please! Doesnt anyone know a better way to do this?
    ... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
    (microsoft.public.dotnet.framework.aspnet)