Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 123»»»

Removing the Builtin Administrators - Some Pitfalls to Avoid Expand / Collapse
Author
Message
Posted Tuesday, January 04, 2005 3:35 PM


Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Thursday, April 17, 2014 6:32 PM
Points: 769, Visits: 241
Comments posted to this topic are about the content posted at http://www.sqlserv

Aunt Kathi
Microsoft
(Former SQL Server MVP)
Post #153613
Posted Wednesday, January 12, 2005 1:04 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Monday, April 14, 2014 2:50 AM
Points: 739, Visits: 203

I find that adding in the 'nt authority\system' account in (as an admin) prior to removing the builtin\admin stops a lot of the pain with 3rd party backup solutions etc.

 




Steven
Post #154945
Posted Wednesday, January 12, 2005 6:56 AM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Thursday, April 17, 2014 1:24 PM
Points: 292, Visits: 255

Here are some more gotchas. Some I have run into and some just came up when I searched for "Builtin Administrators" in the MS Knowledge Base with SQL Server 200 selected as the product.

PRB: SQL Server Full-Text Search Does Not Populate Catalogs
http://support.microsoft.com/default.aspx?scid=kb;en-us;317746

BUG: IsAlive check does not run under the context of the BUILTIN\Administrators account in SQL Server 2000 Enterprise Edition
http://support.microsoft.com/default.aspx?scid=kb;en-us;291255

Be especially careful on clusters. See the following article for more information on this topic in relation to clustered instances of SQL Server:

INF: How to impede Windows NT administrators from administering a clustered instance of SQL Server
http://support.microsoft.com/kb/263712/EN-US/

There were some other articles that came up in the search but I did not include the ones marked "FIX" or "INF" except for the one clustering article. Basically, make sure everything is working right before you remove this group account. That way, if anything breaks, you know exactly why. Then you can put the group back in and research the proper solution.



Bryant E. Byrd, BSSE MCDBA MCAD
Business Intelligence Administrator
MSBI Administration Blog
Post #155038
Posted Wednesday, January 12, 2005 11:12 AM
Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Tuesday, April 08, 2014 2:34 PM
Points: 548, Visits: 161
Do you know where none of my 5 servers (SQL 2000 Std) have the "Via group membership" option in the login propierties screens?
Post #155132
Posted Wednesday, January 12, 2005 11:47 AM


Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Thursday, April 17, 2014 6:32 PM
Points: 769, Visits: 241

The "Via group membership" option disappeared after I changed the setting.  I thought it was odd as well, but I was just glad the problem was solved!

 

 



Aunt Kathi
Microsoft
(Former SQL Server MVP)
Post #155139
Posted Wednesday, January 12, 2005 2:41 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Thursday, April 03, 2014 10:06 PM
Points: 6,621, Visits: 1,851
Yup. Many configure their agent service to run as the local System account. Although truthfully there has always been an avenue to backup without the need for such rights (Backup Operators and now the user rights in the security policies) but few companies locked down their agents tight as a drum on the security side.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #155209
Posted Tuesday, March 08, 2005 9:54 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Friday, March 03, 2006 11:20 AM
Points: 8, Visits: 1

Interesting article.  Now that I accidently deleted the the BUILTIN/Admin, how can I add it back in?

Thanks for the help

Bill

 

Post #166290
Posted Tuesday, March 08, 2005 10:01 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Thursday, April 03, 2014 10:06 PM
Points: 6,621, Visits: 1,851
Log on as an account that is a sysadmin role member, such as the sa account, through Query Analyzer. Execute the following:

EXEC sp_grantlogin 'BUILTIN\Administrators'
EXEC sp_addsrvrolemember 'BUILTIN\Administrators', 'sysadmin'




K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #166292
Posted Tuesday, October 25, 2005 3:28 AM
Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Thursday, April 17, 2014 8:20 AM
Points: 547, Visits: 1,126

I've made a point of removing it from new servers once SQL is installed and the service and agent startup accounts are properly set.

That way it is out before any databases (other than master etc) or users are created so they are created with the rights and logins they need.

Post #231929
Posted Thursday, January 12, 2006 8:52 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Friday, September 13, 2013 2:41 PM
Points: 49, Visits: 42

Interesting.  Thanks for your comments, especially on the "Through Group Membership" issue.

 




Post #250314
« Prev Topic | Next Topic »

Add to briefcase 123»»»

Permissions Expand / Collapse