Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««123»»

Removing the Builtin Administrators - Some Pitfalls to Avoid Expand / Collapse
Author
Message
Posted Thursday, January 12, 2006 9:52 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Friday, November 16, 2012 2:10 PM
Points: 21, Visits: 222

Kathi:

Great Article.  Thanks.

I am interested in your login handling job........

"...The way I accomplished this was by adding the accounts and required access start and end dates to a table. My script grants or removes logins based on the accounts listed and dates. That way, when I need to give access to someone temporarily, which happens frequently, all I have to do is add the account and dates to the table and forget about it. ..."

I think this would be useful for a lot of reasons.  Have you ever written this up?  I think it would make a great article.

Thanks.

Steve B.

Post #250344
Posted Thursday, January 12, 2006 9:57 AM


Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Wednesday, July 23, 2014 7:10 AM
Points: 769, Visits: 244

Steve,

I'm glad you liked the article.  Sure, I could write an article on this. However, I am very bad in that I am pulling data from system tables.  Maybe I can rewrite my proc for SQL 2005 and include both in the article.

Kathi

 

 



Aunt Kathi
Microsoft
(Former SQL Server MVP)
Post #250349
Posted Friday, August 10, 2007 7:35 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Wednesday, July 9, 2014 12:14 PM
Points: 148, Visits: 655

"Via Group Membership" is interesting to me.  I've wondered if it happens when someone has db_owner rights via a Windows group and then creates an object.  You can give a group access to a database, but I bet when they create an object under their owner, then it needs to create the login and uses "via group membership" to denote that you didn't add it yourself.

When you remove BUILTIN\Administrators group and your server/network people want to take the box down for maintenance, do they call you to stop SQL gracefully, or do they just pull the plug?




Post #389639
Posted Friday, August 10, 2007 11:06 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Friday, July 18, 2014 12:37 PM
Points: 312, Visits: 1,098
Has anyone just disabled the Buitlin\Administrators account? That way you can test and if something breaks you can enable it and correct the issue. And if nothing is broken you can just leave it disabled until you actually need it.

Just a thought



Post #389768
Posted Monday, August 20, 2007 3:30 PM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Monday, July 21, 2014 2:37 PM
Points: 56, Visits: 322

Hi Grasshopper,

There is no "Disable" but "Deny" will certainly work for testing purposes.  I would eventually delete though or someone may come along a grant access.  In our Corp environment there are well over 100 users with some nested privilage under the Builtin\Administrators account so our policy is to setup SQL services with domain accounts, add the DBA group as sysAdmin, and then delete the Builtin\Administrators account after every setup of a new server.

John D

Post #392263
Posted Monday, June 2, 2008 8:28 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 2:23 PM
Points: 1,544, Visits: 1,332
So, I didn't read these type posts before deleting the Builtin\Admin group. Now our third-party backup process is crying for failure to login as "NT Authority\SYSTEM". Should I just re-add the Builtin\Admin or just give sysadmin rights to nt authority\system or is it pretty much the same? Thanks.

Chris
Post #509893
Posted Monday, June 2, 2008 12:52 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Thursday, July 10, 2014 1:34 PM
Points: 6,623, Visits: 1,855
Add NT Authority\SYSTEM and grant it the appropriate rights. You probably have netbackup or the like running its agent service as the local system account. That is preferable to re-adding BUILTIN\Administrators if you can help it.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #510179
Posted Monday, June 2, 2008 1:15 PM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 2:23 PM
Points: 1,544, Visits: 1,332
Great! Thanks, Brian.
Post #510213
Posted Monday, June 2, 2008 1:49 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Wednesday, July 23, 2014 12:40 AM
Points: 7,001, Visits: 8,439
Christopher G.S. Johnson (6/2/2008)
So, I didn't read these type posts before deleting the Builtin\Admin group. Now our third-party backup process is crying for failure to login as "NT Authority\SYSTEM". Should I just re-add the Builtin\Admin or just give sysadmin rights to nt authority\system or is it pretty much the same? Thanks.

Chris


maybe you'd be better off making the tools service account a registered "backup admin" for your instance, in stead of the spooky builtin set.


Johan


Don't drive faster than your guardian angel can fly ...
but keeping both feet on the ground won't get you anywhere

- How to post Performance Problems
- How to post data/code to get the best help


- How to prevent a sore throat after hours of presenting ppt ?


"press F1 for solution", "press shift+F1 for urgent solution"


Need a bit of Powershell? How about this

Who am I ? Sometimes this is me but most of the time this is me
Post #510245
Posted Monday, June 2, 2008 2:25 PM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Monday, July 21, 2014 2:37 PM
Points: 56, Visits: 322
As ALZDBA points out--It is better to create a windows account for the service to run under than NT Authority\SYSTEM. Granting permission to NT Authority\SYSTEM gives "any" service or application, running under that context, the same rights to the SQL Server and there is even less tracability than BUILTIN\Administrators.
Post #510280
« Prev Topic | Next Topic »

Add to briefcase ««123»»

Permissions Expand / Collapse