SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Policy Management: BUILTIN\Administrators are sysadmin's


Policy Management: BUILTIN\Administrators are sysadmin's

Author
Message
Jon.Morisi
Jon.Morisi
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1161 Visits: 1142
Hi,
I'm trying to create a policy to check that the Server Roles for BUILTIN\Administrators includes sysadmin. I've not been able to locate a Server Role facet or other facet that includes a property for Server Role.

So far I've got a condition on the login facet @Name = 'builtin\administrators'. I"m using this as the target for the policy, but that big missing piece is where to check the server role.

Anyone know where the needle is?
Colleen M. Morrow
Colleen M. Morrow
SSC-Addicted
SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)

Group: General Forum Members
Points: 413 Visits: 1059
Take a look at this article. Though he doesn't say it, the @WindowsUsersAndGroupsInSysadminRole he talks about is in the Server Installation Settings facet. (Of course ;-))



Colleen M. Morrow
Cleveland DBA
Jon.Morisi
Jon.Morisi
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1161 Visits: 1142
Thanks I actually saw that and it doesn't do what I'm trying to do.

I've tried this:
Facet: Server Installation (not mentioned in that link)
@WindowsUsersAndGroupsInSysadminRole = Array('builtin\administrators')
The array that gets returned is all users and groups in the sysadmin role so it fails.
If you have many servers with different lists of sysadmins, this won't work.
Jon.Morisi
Jon.Morisi
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1161 Visits: 1142
I spent most of my day figuring this out so I decided to create a blogger account:

http://jonmorisissqlblog.blogspot.com/2011/04/configure-policy-to-checks-that.html
Jon.Morisi
Jon.Morisi
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1161 Visits: 1142
similar posts
http://www.sqlservercentral.com/Forums/Topic947360-1292-1.aspx?Update=1
http://www.sqlservercentral.com/Forums/Topic612919-391-1.aspx?Update=1
Colleen M. Morrow
Colleen M. Morrow
SSC-Addicted
SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)SSC-Addicted (413 reputation)

Group: General Forum Members
Points: 413 Visits: 1059
Awesome, thanks for sharing your solution!



Colleen M. Morrow
Cleveland DBA
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search