Modifying access to local Administrator account

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 2008 » SQL Server 2008 - General » Modifying access to local Administrator...

Modifying access to local Administrator account

Rate Topic

Display Mode

Topic Options

Author

Message

naramsg

Posted Monday, December 08, 2008 1:58 AM

Grasshopper

Group: General Forum Members
Last Login: Wednesday, November 28, 2012 6:20 AM
Points: 24, Visits: 201

Hi,

Sorry I'm posting this topic under SQL Server 2008 - General, but I couldn't find a SQL Server 2008 - Security forum section.

When installing SQL Server 2008 on one of our servers, there is an option of giving SQL Server administrative privileges to any Windows user. I provided the local administrator account under this section, as a result of which I'm able to access and make DDL modifications on all databases.

Since I now have to share the local administrator password with another person, and I would therefore like to restrict the local administrator's access to db_datareader.

I tried doing this under Databases > Security > Users, but even after modifying access to the user, I'm still able to create/delete tables.

I also tried doing this under Server Security > Logins, but I couldn't find the user here. I also looked for any of the user groups, but the Administrator account is not present in any of the user groups.

I also modified access on the global level (right-clicking on the server name > Properties and Security), but I'm still able to create/delete tables.

Any idea what I must do to restrict access to the local administrator? Kindly revert.

Thanks!
Guru

Post #615394

Nicholas Cain

Posted Monday, December 08, 2008 6:15 AM

SSCrazy

Group: General Forum Members
Last Login: Wednesday, May 15, 2013 4:27 PM
Points: 2,007, Visits: 6,040

I would ensure that the "BUILTIN\Administrators" group is removed from the sysadmin server role.

Of course, prior to doing that make sure that you have another group, or account with sysadmin privilege that you can use to access with sysadmin rights.

Shamless self promotion - read my blog http://sirsql.net

Post #615491

Jerry Hung

Posted Monday, December 08, 2008 12:44 PM

Right there with Babe

Group: General Forum Members
Last Login: Wednesday, May 08, 2013 3:02 PM
Points: 768, Visits: 1,159

Make sure you won't lock yourself out (i.e. create your account/domain account in SQL with sysadmin, or know the sa account)

By default, I believe SQL 2008 doesn't include BUILTIN\Administrators as sysadmin, while SQL 2005 does
It is not good practice to automatically assume all Local Admins are SQL Admins

Another way is to add that other user's account specifically (say DOMAIN\userB), and give him data_reader only
The login permissions should override the group permissions

SQLServerNewbie

MCITP: Database Administrator SQL Server 2005

Post #615739

naramsg

Posted Tuesday, December 09, 2008 6:48 AM

Grasshopper

Group: General Forum Members
Last Login: Wednesday, November 28, 2012 6:20 AM
Points: 24, Visits: 201

Nicholas, thanks for your reply. The user is not listed under any of the groups under Server Roles, but is still able to access the DB.

Jerry, the user is able to access and make DDL modifications to the DB even if I give only db_datareader access. Seems very strange...

For now, I've disabled the login...

Regards,
Guru

Post #616088

« Prev Topic | Next Topic »

Permissions