Re: SQL Server Remote Management - Command Line Question

From: Sue Hoegemeier (Sue_H_at_nomail.please)
Date: 06/20/04

  • Next message: Jake Jessup: "SP Technique --" 
    Date: Sun, 20 Jun 2004 17:40:18 -0600

    If you are a local admin on the Win2K box that is running
    SQL Server and the BUILTIN\Administrators group has not been
    modified or removed, then yes you would be able to use osql
    or isql to add, delete, change logins, users in SQL Server.
    This is because the BUILTIN\Administrators group is by
    default a member of the sysadmin server role. Local admins
    would all be members of the BUILTIN\Administrators group.
    Of course a windows account could also be granted the same
    rights explicitly rather than just inheriting these
    permissions via group membership.
    If you disable or delete the users Windows account when the
    user leaves then it's not an issue. Many places first
    disable the account and then delete the account after xx
    days.

    -Sue

    On Sun, 20 Jun 2004 15:38:09 -0500, "JDB" <jbell@vitria.com>
    wrote:

    >As a Sys Admin, I was wondering - if I have admin rights to a Win2k machine
    >that is hosting SQL Server 2000, do I have the ability using any
    >command-line tools such as OSQL or ISQL to add, delete, or change accounts
    >registered in SQL Server for the various databases if I don't have access to
    >a specific account within SQL Server?
    >
    >I ask, because the question that came up was - what if we have a DBA leave
    >under less than amicable circumstances? Could I, someone who has admin
    >rights on the machine, be able to log into that machine remotely and somehow
    >via command line (I don't maintain active SQL clients centrally), change the
    >SA password, remove an account, and/or add an account with sysadmin rights,
    >etc?
    >
    >Thanks in advance for any help -
    >
    >

  • Next message: Jake Jessup: "SP Technique --"

    Relevant Pages

    • Re: Problems installing SQL Server 2005 in two node cluster
      ... the SQL Server service account does not need to be a local admin. ... > -> Purging the setup files from the registry with the Windows Install ...
      (microsoft.public.sqlserver.clustering)
    • Re: Help with Software/Hardware decision....
      ... SQL server on DC question has two aspects such as performance and security. ... the computer running SQL Server as a domain controller will work (and it ... MSSQLServer service must run within the security context of an NT account. ... This configuration lets users assign permissions and rights to a service by ...
      (microsoft.public.windows.server.networking)
    • Re: Scheduling a simple local package wont stick
      ... the FTP is just the first part of this package I wish to accomplish. ... group does not need to be, and on my servers is not, a SQL Server sysadmin. ... it is not obvious to me which account you are running under ... The rights you need to check are not SQL Server rights, ...
      (microsoft.public.sqlserver.dts)
    • Re: ASP.NET - SQL Server does not exist or access denied
      ... Make sure that the account is set up with "Log on as a Service" and "Log on as ... Make sure you've looked at your machine.config file as well (Windows ... ensure it would have no rights as a user), then set it up with the "log on" ... > a "SQL Server does not exist or access denied" error. ...
      (microsoft.public.sqlserver.security)
    • Re: Error 15401 using sp_grantlogin (not addressed by current KB articles)
      ... Restarting Windows 2000 resolved the problem for this particular account, ... confused when it sees a duplicate SID. ... > One way to get SQL Server to agree with the renamed NT ... > Preview (to ensure the script was created), ...
      (microsoft.public.sqlserver.security)