Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 123»»»

sa removal Expand / Collapse
Author
Message
Posted Saturday, May 24, 2008 3:24 PM


Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Sunday, January 29, 2012 1:45 AM
Points: 710, Visits: 1,284
hi all.
am on a production server and i want ton role. know what i can do in order to make the sa login without any power.
i know that i can disable the account, but it must by some thing more i can do, like remove it from the sysadmin role using some work around but i cant find out how.
any one have any good ideas.??


..>>..

MobashA
Post #506277
Posted Saturday, May 24, 2008 4:23 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 10:42 PM
Points: 36,952, Visits: 31,460
It's easy... don't try to remove the SA login... just change the password and don't give it out to anyone, ever...

--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #506282
Posted Sunday, May 25, 2008 12:37 AM


Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Sunday, January 29, 2012 1:45 AM
Points: 710, Visits: 1,284
yes i can do so, the case is am new in the company and every one used to use the sa for any thing even select statements, when i ask some one what he want to do in order to give him the needed priv he said he want the sa (the general manager), but if i get rid of the sa so no one will ask for it..

..>>..

MobashA
Post #506308
Posted Sunday, May 25, 2008 8:55 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 10:42 PM
Points: 36,952, Visits: 31,460
If you simply rip the SA rug out from under them, you'll make a lot of enemies... you need to get management to buy into a good security plan where folks have read access and they have a "reporting" database (sandbox, really), where they can play to their little hearts content. We have one that is "restored" every four hours from the production box. There's a separate "work" database where folks can store their favorite queries without them being overwritten every four hours. That way, they can have a login with "SA" privs without taking the chance on blowing production out of the water.

It'll take you 3 or 4 months to convince management of such a thing, but it's well worth it... makes everyone happy.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #506327
Posted Sunday, May 25, 2008 11:47 PM


Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Sunday, January 29, 2012 1:45 AM
Points: 710, Visits: 1,284
i have already convienced them to remove the sa, but still may some one ask for it as he knows that sa is the most powerfull user, so i dont want top give him a chance.

..>>..

MobashA
Post #506376
Posted Monday, May 26, 2008 7:17 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 10:42 PM
Points: 36,952, Visits: 31,460
I can't get over the gut feeling that it's a bad idea, but here goes...

First, make sure that some other user, preferably some DBA (yourself?) has SA privs.

Second, open SSMS and click on {View}{Object Explorer}. Expand {security} and then {logins}. Double click on SA and a new window will open. Click on {server roles}. Find the {sysadmin} role and deselect it. Click {OK}.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #506475
Posted Monday, May 26, 2008 7:41 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 9:36 AM
Points: 42,765, Visits: 35,863
You can disable the sa account. On SQL 2005, you can also rename it if you like (and create a new login named sa with any permissions you like), however you cannot modify the original sa login.

If you try to remove it from the sysadmin group, you get an error:
Error 15405
Drop member failed for ServerRole 'sysadmin'
Cannot use the special principal 'sa'

You can rename from object explorer in management studio. Right click the login and choose 'rename'



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #506483
Posted Monday, May 26, 2008 7:43 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 9:36 AM
Points: 42,765, Visits: 35,863
mobasha (5/25/2008)
i have already convienced them to remove the sa, but still may some one ask for it as he knows that sa is the most powerfull user, so i dont want top give him a chance.


Tell him 'No'. Tell him that handing out the sa password is against your security policies (if it's not, it should be)

You're looking for a technological solution to a non-technological problem



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #506484
Posted Monday, May 26, 2008 8:00 AM


Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Sunday, January 29, 2012 1:45 AM
Points: 710, Visits: 1,284
it would be like this:
he ask for sa i say i have no such login, tell me what u want and i will provide u with a user to do what u need.
end of sotry.
u know am not the only DBA, but soon i will, so i cant disable the sa out of blow or keep the password just for my self, i need time before say no.


..>>..

MobashA
Post #506487
Posted Monday, May 26, 2008 9:37 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 10:42 PM
Points: 36,952, Visits: 31,460
mobasha (5/26/2008)
it would be like this:
he ask for sa i say i have no such login, tell me what u want and i will provide u with a user to do what u need.
end of sotry.
u know am not the only DBA, but soon i will, so i cant disable the sa out of blow or keep the password just for my self, i need time before say no.


That's what you get for "lying"... the real fact is the SA login exists... muster up your courage, get full management support, and start telling people "NO", they can't have the SA password. Doing what you said...

"tell me what u want and i will provide u with a user to do what u need."

... should be prefaced with "Management says no one but DBA's get's the SA password, however, tell me what u want and i will provide u with a user to do what u need." is the best way to go.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #506513
« Prev Topic | Next Topic »

Add to briefcase 123»»»

Permissions Expand / Collapse