Kathi:
Great Article. Thanks.
I am interested in your login handling job........
"...The way I accomplished this was by adding the accounts and required access start and end dates to a table. My script grants or removes logins based on the accounts listed and dates. That way, when I need to give access to someone temporarily, which happens frequently, all I have to do is add the account and dates to the table and forget about it. ..."
I think this would be useful for a lot of reasons. Have you ever written this up? I think it would make a great article.
Thanks.
Steve B.
Steve,
I'm glad you liked the article. Sure, I could write an article on this. However, I am very bad in that I am pulling data from system tables. Maybe I can rewrite my proc for SQL 2005 and include both in the article.
Kathi
"Via Group Membership" is interesting to me. I've wondered if it happens when someone has db_owner rights via a Windows group and then creates an object. You can give a group access to a database, but I bet when they create an object under their owner, then it needs to create the login and uses "via group membership" to denote that you didn't add it yourself.
When you remove BUILTIN\Administrators group and your server/network people want to take the box down for maintenance, do they call you to stop SQL gracefully, or do they just pull the plug?
Hi Grasshopper,
There is no "Disable" but "Deny" will certainly work for testing purposes. I would eventually delete though or someone may come along a grant access. In our Corp environment there are well over 100 users with some nested privilage under the Builtin\Administrators account so our policy is to setup SQL services with domain accounts, add the DBA group as sysAdmin, and then delete the Builtin\Administrators account after every setup of a new server.
John D
Jul 13
