Policy Management: BUILTIN\Administrators are sysadmin's

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 2008 » SQL Server 2008 Administration » Policy Management: BUILTIN\Administrators are...

Policy Management: BUILTIN\Administrators are sysadmin's

Rate Topic

Display Mode

Topic Options

Author

Message

Jon.Morisi

Posted Friday, April 29, 2011 12:19 PM

SSC Veteran

Group: General Forum Members
Last Login: Tuesday, May 07, 2013 8:12 AM
Points: 275, Visits: 679

Hi,
I'm trying to create a policy to check that the Server Roles for BUILTIN\Administrators includes sysadmin. I've not been able to locate a Server Role facet or other facet that includes a property for Server Role.

So far I've got a condition on the login facet @Name = 'builtin\administrators'. I"m using this as the target for the policy, but that big missing piece is where to check the server role.

Anyone know where the needle is?

Post #1100990

Colleen M. Morrow

Posted Friday, April 29, 2011 1:29 PM

Old Hand

Group: General Forum Members
Last Login: Sunday, April 14, 2013 8:05 AM
Points: 300, Visits: 818

Take a look at this article. Though he doesn't say it, the @WindowsUsersAndGroupsInSysadminRole he talks about is in the Server Installation Settings facet. (Of course Wink

)

Colleen M. Morrow
Cleveland DBA

Post #1101031

Jon.Morisi

Posted Friday, April 29, 2011 3:20 PM

SSC Veteran

Group: General Forum Members
Last Login: Tuesday, May 07, 2013 8:12 AM
Points: 275, Visits: 679

Thanks I actually saw that and it doesn't do what I'm trying to do.

I've tried this:
Facet: Server Installation (not mentioned in that link)
@WindowsUsersAndGroupsInSysadminRole = Array('builtin\administrators')
The array that gets returned is all users and groups in the sysadmin role so it fails.
If you have many servers with different lists of sysadmins, this won't work.

Post #1101076

Jon.Morisi

Posted Friday, April 29, 2011 3:48 PM

SSC Veteran

Group: General Forum Members
Last Login: Tuesday, May 07, 2013 8:12 AM
Points: 275, Visits: 679

I spent most of my day figuring this out so I decided to create a blogger account:

http://jonmorisissqlblog.blogspot.com/2011/04/configure-policy-to-checks-that.html

Post #1101082

Jon.Morisi

Posted Friday, April 29, 2011 3:50 PM

SSC Veteran

Group: General Forum Members
Last Login: Tuesday, May 07, 2013 8:12 AM
Points: 275, Visits: 679

Post #1101086

Colleen M. Morrow

Posted Monday, May 02, 2011 9:15 AM

Old Hand

Group: General Forum Members
Last Login: Sunday, April 14, 2013 8:05 AM
Points: 300, Visits: 818

Awesome, thanks for sharing your solution!

Colleen M. Morrow
Cleveland DBA

Post #1101651

« Prev Topic | Next Topic »

Permissions