January 24, 2011 at 2:57 am
Hi All,
I am considering disabling the SA account for one of our SQL servers and am in the process of notifying all developers who have created apps which login to the server using the sa account.
I have noticed that a number of system processes, such as the LAZY WRITER and FTCATLG MONITOR, use the sa account.
How do i go about changing the account that these processes are using so that they are not affected if / when i disable the sa account?
Thanks.
January 24, 2011 at 3:39 am
System processes don't need to log in, so they are unaffected by any login changes. You can disable the sa account, it will have no effect on them. They're not actually logging in as sa.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
January 24, 2011 at 3:43 am
Thanks for your reply, i simply ran an sp_who2 and the system processes that i mentioned has 'sa' in the login column. I assume this is output by default for system processes?
January 24, 2011 at 4:08 am
It just has to do with the security identifier they use. They do not log in at all (system processes run internal in the engine) and hence won't be affected.
My instance, where I have sa disabled, shows the same.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
January 24, 2011 at 4:11 am
Thats great, thanks very much for your help.
January 24, 2011 at 4:13 am
yes ! system processes shows that it sa, but it will not affect on the processes. you can go ahead.!
January 25, 2011 at 2:13 am
Hi
I'd be more inclined to set the developers applications up to run under other logins then change the password of the SA account so they can't use it any more, that way the DBAs can still use SA if they need it and you regain some control over the developers apps. Just a thought.
Harv
January 25, 2011 at 8:00 am
I can't think of a situation, other than stupidly written vendor apps, where any developer or DBA would need to login using SA as opposed to granting SA equvalency to their ID. As far as I know, allowing use of SA completely removes the ability to determine who did what to data.
March 13, 2012 at 10:24 am
One question: must the "sa" login be granted to connect to database engine in order for internal processes to function correctly ?
My situation is: "sa" appears in sp_who output loginame column , "sa" login is disabled and I see "permission to connect to database engine" set to "Grant" in the properties window of "sa" Security Logins.
The other option for "permission to connect to database engine" is "Deny" .
March 13, 2012 at 2:08 pm
You can't change SA's permissions, so the question is moot.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
November 25, 2015 at 11:50 am
GilaMonster (1/24/2011)
System processes don't need to log in, so they are unaffected by any login changes. You can disable the sa account, it will have no effect on them. They're not actually logging in as sa.
Thanks, Gail! I just had this same question given that we disable our sa login, and I found your answer here in this thread.
- webrunner
-------------------
A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply