April 20, 2017 at 8:36 pm
Hi,
I just checked and the owner of db file of a critical db server is blank, when I set it to sa or some sysadmin it doesnt take it and says db is in use.
This is prod so i cant kill connections etc.
Also the db owner of all Databases is some guy who left the company. There is no dbo user but i see the schema.
What is the best practice to change the db owner and file owner to a new login? so i need to put that in sysadmin group?
April 21, 2017 at 12:59 am
There are two general directions on this. Either set the database owner to sa or set it to a loginless user that has appropriate permissions. Definitely should not be a user who is no longer with the company and definitely should not be blank.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
April 21, 2017 at 2:09 am
I like setting them to sa. The login can never be removed, and you can't accidentally grant higher permissions to it, since sa is sysadmin.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
April 21, 2017 at 2:20 am
How are you attempting to set the database owner, and what is the exact error message that you get? What happens if you run this?ALTER AUTHORIZATION ON DATABASE::MyDatabase TO sa
John
April 21, 2017 at 11:18 am
sqlguy80 - Thursday, April 20, 2017 8:36 PMHi,I just checked and the owner of db file of a critical db server is blank, when I set it to sa or some sysadmin it doesnt take it and says db is in use.
This is prod so i cant kill connections etc.
How are you changing the owner, via GUI or TSQL
sqlguy80 - Thursday, April 20, 2017 8:36 PM
Also the db owner of all Databases is some guy who left the company. There is no dbo user but i see the schema.
What is the best practice to change the db owner and file owner to a new login? so i need to put that in sysadmin group?
Do you mean a database user for the previous guy is a member of the db_owner role in each of the other databases?
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
May 3, 2017 at 3:14 pm
John Mitchell-245523 - Friday, April 21, 2017 2:20 AMHow are you attempting to set the database owner, and what is the exact error message that you get? What happens if you run this?ALTER AUTHORIZATION ON DATABASE::MyDatabase TO saJohn
Hi,
It's always a best practice to follow the principle of least privilege. With that said, it's better if the owner is not a regular user that shouldn't have those permissions. SysAdmin account is an alternative to fix this. To change it, i used this:
EXEC sp_changedbowner 'sa'; /*****This si being deprecated thou******/
John Mitchell-245523's suggestion should do it.
Regards
Rick
May 4, 2017 at 4:19 pm
On a related note, there seems to be a security loop hole if the owner of the database is a member of the sysadmin group and TRUSTWORTHY gets set to TRUE on the database so should the owner really be set to a non sysadmin just in case?
"If the TRUSTWORTHY setting is set to ON, and if the owner of the database is a member of a group that has administrative credentials, such as the sysadmin group, the database owner may be able to create and to run unsafe assemblies that can compromise the instance of SQL Server."
"Best practices for database ownership and trust include the following:
• Have distinct owners for databases. Not all databases should be owned by the system administrator."
May 8, 2017 at 3:19 pm
CC-597066 - Thursday, May 4, 2017 4:19 PMOn a related note, there seems to be a security loop hole if the owner of the database is a member of the sysadmin group and TRUSTWORTHY gets set to TRUE on the database so should the owner really be set to a non sysadmin just in case?"If the TRUSTWORTHY setting is set to ON, and if the owner of the database is a member of a group that has administrative credentials, such as the sysadmin group, the database owner may be able to create and to run unsafe assemblies that can compromise the instance of SQL Server."
"Best practices for database ownership and trust include the following:
• Have distinct owners for databases. Not all databases should be owned by the system administrator."
I disabled "sa" and made it the owner of the database. I didn't see any issue with this. Thoughts?
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply