Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Removing NT Administrators as Sysadmins

By Brian Knight,

By default, all NT administrators of the domain that your SQL Server is installed in, have SA rights in every database. This presents interesting challenge for DBAs, political and technical. Does your NT administrator group need SA rights to every database? The answer is no.

Let me take a moment to contradict and clarify the statement I just made. Although the NT group "Administrators" does not need SA rights, the people inside that group may need SA rights. The better way to lock down your SQL Server versus the default would be to create a second user group and assign any users that need SA rights into it. By doing this, you give only the NT administrators that need SA access the rights as well as create a universal SA group to audit.

The first step before you do this would be to remove the current administrators group from your SQL Server. You can do this by expanding the Security group and selecting Logins. Then, delete the BULTIN\Administrators login in the right pane.

Now, create a new NT group and reverse the steps. Generally there is no need to give your network administrators SA rights, but if there is a need, do so through this technique.

Total article views: 4028 | Views in the last 30 days: 0
 
Related Articles
FORUM

Denying Local Administrators accounts Sysadmin rights ?

How do I - Denying Local Administrators accounts Sysadmin rights ?

FORUM

The user group “administrators” had full access rights before

after execution sp_attach_db and sp_detach_db user group “administrators” disappeared

ARTICLE

Multi-Server Administration

Multi server administration allows you to create jobs and maintenance plans once. You can then monit...

FORUM

Creating USER Group in SQL Server 2005

Creating USER Group in SQL Server 2005

BLOG

More on DBAs and Local Administrator Rights

I'm looking over the comments about DBAs and local Administrator rights and I noticed an interesting...

Tags
other    
rants    
security    
sql server 7    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones