Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Modifying access to local Administrator account Expand / Collapse
Author
Message
Posted Monday, December 8, 2008 1:58 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Wednesday, November 28, 2012 6:20 AM
Points: 24, Visits: 201
Hi,

Sorry I'm posting this topic under SQL Server 2008 - General, but I couldn't find a SQL Server 2008 - Security forum section.

When installing SQL Server 2008 on one of our servers, there is an option of giving SQL Server administrative privileges to any Windows user. I provided the local administrator account under this section, as a result of which I'm able to access and make DDL modifications on all databases.

Since I now have to share the local administrator password with another person, and I would therefore like to restrict the local administrator's access to db_datareader.

I tried doing this under Databases > Security > Users, but even after modifying access to the user, I'm still able to create/delete tables.

I also tried doing this under Server Security > Logins, but I couldn't find the user here. I also looked for any of the user groups, but the Administrator account is not present in any of the user groups.

I also modified access on the global level (right-clicking on the server name > Properties and Security), but I'm still able to create/delete tables.

Any idea what I must do to restrict access to the local administrator? Kindly revert.

Thanks!
Guru
Post #615394
Posted Monday, December 8, 2008 6:15 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Friday, July 11, 2014 10:29 PM
Points: 2,007, Visits: 6,077
I would ensure that the "BUILTIN\Administrators" group is removed from the sysadmin server role.

Of course, prior to doing that make sure that you have another group, or account with sysadmin privilege that you can use to access with sysadmin rights.




Shamless self promotion - read my blog http://sirsql.net
Post #615491
Posted Monday, December 8, 2008 12:44 PM


Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Today @ 8:36 AM
Points: 772, Visits: 1,183
Make sure you won't lock yourself out (i.e. create your account/domain account in SQL with sysadmin, or know the sa account)

By default, I believe SQL 2008 doesn't include BUILTIN\Administrators as sysadmin, while SQL 2005 does
It is not good practice to automatically assume all Local Admins are SQL Admins

Another way is to add that other user's account specifically (say DOMAIN\userB), and give him data_reader only
The login permissions should override the group permissions


SQLServerNewbie

MCITP: Database Administrator SQL Server 2005
Post #615739
Posted Tuesday, December 9, 2008 6:48 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Wednesday, November 28, 2012 6:20 AM
Points: 24, Visits: 201
Nicholas, thanks for your reply. The user is not listed under any of the groups under Server Roles, but is still able to access the DB.

Jerry, the user is able to access and make DDL modifications to the DB even if I give only db_datareader access. Seems very strange...

For now, I've disabled the login...


Regards,
Guru
Post #616088
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse