Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Denying Local Administrators accounts Sysadmin rights ?


Denying Local Administrators accounts Sysadmin rights ?

Author
Message
ZeeAtl
ZeeAtl
Valued Member
Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)

Group: General Forum Members
Points: 63 Visits: 259
How do I deny members (domain accounts) who are members of Local Administrators group Sysadmin privileges on my local instance of SQL Server 2005?

I am using Windows Authentication rather than SQL Server authentication for access / connection to SQL Server.

Thanks,

Zee - Atlanta
Lynn Pettis
Lynn Pettis
One Orange Chip
One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)

Group: General Forum Members
Points: 26480 Visits: 38127
First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).

Cool
Lynn Pettis

For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here or when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here and here
Managing Transaction Logs

SQL Musings from the Desert Fountain Valley SQL (My Mirror Blog)
Matt Miller (#4)
Matt Miller (#4)
SSCrazy Eights
SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)

Group: General Forum Members
Points: 8261 Visits: 18251
Lynn Pettis (2/18/2010)
First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).


..until they invoke the DAC.....

----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
Lynn Pettis
Lynn Pettis
One Orange Chip
One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)

Group: General Forum Members
Points: 26480 Visits: 38127
Matt Miller (#4) (2/18/2010)
Lynn Pettis (2/18/2010)
First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).


..until they invoke the DAC.....


If you have that enabled. It is disabled by default. Which reminds me, I should check that on the new servers. So much going on in such a short time.

Also, hopefully they don't know how to access SQL Server via the DAC. I've used it once, and that was more of a test to see how it worked and what I could do.

Cool
Lynn Pettis

For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here or when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here and here
Managing Transaction Logs

SQL Musings from the Desert Fountain Valley SQL (My Mirror Blog)
Matt Miller (#4)
Matt Miller (#4)
SSCrazy Eights
SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)

Group: General Forum Members
Points: 8261 Visits: 18251
Lynn Pettis (2/18/2010)
Matt Miller (#4) (2/18/2010)
Lynn Pettis (2/18/2010)
First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).


..until they invoke the DAC.....


If you have that enabled. It is disabled by default. Which reminds me, I should check that on the new servers. So much going on in such a short time.

Also, hopefully they don't know how to access SQL Server via the DAC. I've used it once, and that was more of a test to see how it worked and what I could do.



How do you disable the local DAC? As I recall - the ability to access DAC remotely is what's disabled.

That said - it might be good to know how to disable it locally if you can.

----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search