<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
SQL Server 2005
»
Administering
»
Denying Local Administrators accounts...
Denying Local Administrators accounts Sysadmin rights ?
Rate Topic
Display Mode
Topic Options
Author
Message
ZeeAtl
ZeeAtl
Posted Thursday, February 18, 2010 1:17 PM
Valued Member
Group: General Forum Members
Last Login: Saturday, June 23, 2012 9:48 AM
Points: 59,
Visits: 259
How do I deny members (domain accounts) who are members of Local Administrators group Sysadmin privileges on my local instance of SQL Server 2005?
I am using Windows Authentication rather than SQL Server authentication for access / connection to SQL Server.
Thanks,
Zee - Atlanta
Post #868464
Lynn Pettis
Lynn Pettis
Posted Thursday, February 18, 2010 1:21 PM
SSC-Insane
Group: General Forum Members
Last Login: Today @ 6:08 PM
Points: 21,589,
Visits: 27,391
First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).
Lynn Pettis
For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here
or
when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here
and
here
Managing Transaction Logs
SQL Musings from the Desert
Fountain Valley SQL
(My Mirror Blog)
Post #868470
Matt Miller (#4)
Matt Miller (#4)
Posted Thursday, February 18, 2010 1:32 PM
SSCertifiable
Group: General Forum Members
Last Login: 2 days ago @ 1:56 PM
Points: 6,997,
Visits: 13,941
Lynn Pettis (2/18/2010)
First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).
..until they invoke the DAC.....
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
Post #868478
Lynn Pettis
Lynn Pettis
Posted Thursday, February 18, 2010 1:58 PM
SSC-Insane
Group: General Forum Members
Last Login: Today @ 6:08 PM
Points: 21,589,
Visits: 27,391
Matt Miller (#4) (2/18/2010)
Lynn Pettis (2/18/2010)
First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).
..until they invoke the DAC.....
If you have that enabled. It is disabled by default. Which reminds me, I should check that on the new servers. So much going on in such a short time.
Also, hopefully they don't know how to access SQL Server via the DAC. I've used it once, and that was more of a test to see how it worked and what I could do.
Lynn Pettis
For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here
or
when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here
and
here
Managing Transaction Logs
SQL Musings from the Desert
Fountain Valley SQL
(My Mirror Blog)
Post #868505
Matt Miller (#4)
Matt Miller (#4)
Posted Thursday, February 18, 2010 2:17 PM
SSCertifiable
Group: General Forum Members
Last Login: 2 days ago @ 1:56 PM
Points: 6,997,
Visits: 13,941
Lynn Pettis (2/18/2010)
Matt Miller (#4) (2/18/2010)
Lynn Pettis (2/18/2010)
First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).
..until they invoke the DAC.....
If you have that enabled. It is disabled by default. Which reminds me, I should check that on the new servers. So much going on in such a short time.
Also, hopefully they don't know how to access SQL Server via the DAC. I've used it once, and that was more of a test to see how it worked and what I could do.
How do you disable the local DAC? As I recall - the ability to access DAC
remotely
is what's disabled.
That said - it might be good to know how to disable it locally if you can.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
Post #868525
« Prev Topic
|
Next Topic »
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
