November 25, 2009 at 12:08 am
how to disable windows authentication in sql server 2005
I know Disabling is not possible but I want to prevent the windows authentication...in Active active cluster of sql server 2005 and I cannot delete anything just check uncheck the properties...
Please Help...
Thanks
November 25, 2009 at 12:20 am
windows is recommended authentication for SQL server.
However you must have your own reason to opt not to do so.
In SQL server only users / groups that are granted access explicitely can connect to the server.(bultin\admininistrators are added default, but you can revoke this also)
But be careful with credentials that are used by the services . Do some researches before doing so.
November 25, 2009 at 12:26 am
(bultin\admininistrators are added default, but you can revoke this also)
How Can I revoke it....?
Thanks
November 25, 2009 at 12:37 am
November 25, 2009 at 1:55 am
I have read it , it is very well.
How to create the cluster service account as a login in SQL Server...?
Thanks
November 25, 2009 at 2:07 am
Find out which is the cluster service account from services.
Sp_grantlogin 'domain\account'
use master ;
sp_adduser 'domain\account'
November 25, 2009 at 4:11 am
Why exactly are you trying to do this? It is a bit concerning that you dont have access to delete users but are talking about disabling them.
You also ask about adding users which you should know how to do if you are doing stuff like this. But want to add the type of user (AD) that you say you want to disable; and are now talking about cluster service users.....
Be very careful you know what you are doing and have authorisation otherwise your future might not be so rosey.
What exactly do you want to accomplish and why?
Adam Zacks-------------------------------------------Be Nice, Or Leave
November 25, 2009 at 4:23 am
Schadenfreude-Mei (11/25/2009)
Why exactly are you trying to do this? It is a bit concerning that you dont have access to delete users but are talking about disabling them.You also ask about adding users which you should know how to do if you are doing stuff like this. But want to add the type of user (AD) that you say you want to disable; and are now talking about cluster service users.....
Be very careful you know what you are doing and have authorisation otherwise your future might not be so rosey.
What exactly do you want to accomplish and why?
my interpretation is that his/her question is clumsy formulated and he/she wants to know if it is possible to keep a sql server in a windows cluster environment clean from windows system administrators and keep it for dba's "only". i'll read the proposed solution link later but the issue i had (and perhaps is solved in the ms article) is that the health check needs in the standard setup sysadmin rights. and the health check is done with an account to which system administrators have access.
November 25, 2009 at 4:31 am
Eduard (11/25/2009)
Schadenfreude-Mei (11/25/2009)
Why exactly are you trying to do this? It is a bit concerning that you dont have access to delete users but are talking about disabling them.You also ask about adding users which you should know how to do if you are doing stuff like this. But want to add the type of user (AD) that you say you want to disable; and are now talking about cluster service users.....
Be very careful you know what you are doing and have authorisation otherwise your future might not be so rosey.
What exactly do you want to accomplish and why?
my interpretation is that his/her question is clumsy formulated and he/she wants to know if it is possible to keep a sql server in a windows cluster environment clean from windows system administrators and keep it for dba's "only". i'll read the proposed solution link later but the issue i had (and perhaps is solved in the ms article) is that the health check needs in the standard setup sysadmin rights. and the health check is done with an account to which system administrators have access.
I understand that for what ever reason he/she wants to keep other AD users out but what i dont get is why? This person obviously isnt the main dba as they dont have delete rights and so why are they doing this?
We (the dba's) dont own our boxes, we are responsible for them yes , but we cant lock out other IT admins (though it is tempting).
My point was, why is a junior dba undertaking a task which could have serious repercussions on a production server.
Adam Zacks-------------------------------------------Be Nice, Or Leave
November 25, 2009 at 4:47 am
Ajay,
What others are telling is right. If you are just looking at the possibility its fine. But you have plan to do it right out on a production database, I recommend other wise.
November 26, 2009 at 4:06 am
Thanx to those who has answered,
Ok Can u just help to prevent windows authentication or windows users disable on the cluster , from AD or from Local windows server Group from anywhere???
Thanks
November 26, 2009 at 6:22 am
Huh?
Please re-phrase your question as it made no sence.
Adam Zacks-------------------------------------------Be Nice, Or Leave
November 26, 2009 at 2:45 pm
The account under which the SQL Server service is running on a cluster must be a domain (Windows) account and that account needs SysAdmin rights within SQL Server.
The account under which the Cluster service is running must also be a domain account and must be able to connect to the server. It does not need any specific rights except the public role against the master database (or maybe whatever it's default database is, although I've never tried changing that).
These accounts must be domain accounts. You can tie them down fairly well by using a Windows policy to prevent them being able to log on locally.
Once you've got these accounts set up you can drop all other domain/local Windows accounts if you really want to: the first one we drop is BUILTIN/Administrators.
Note that using Windows authentication is the recommended model in every best practice article I can remember reading, and that is especially so in pre-SQL2k8 versions where the password management of SQL Server accounts is almost impossible to force into regulatory-compliant policies except through external controls.
As the other responders have said, you should be absolutely certain what it is that you're trying to achieve before making any changes, and test them elsewhere before implementing them on your production system.
November 26, 2009 at 10:34 pm
OK on suggestion of all u I will not do any thing...
Thanks
Viewing 14 posts - 1 through 13 (of 13 total)
You must be logged in to reply to this topic. Login to reply