SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Removing the Builtin Administrators - Some Pitfalls to Avoid


Removing the Builtin Administrators - Some Pitfalls to Avoid

Author
Message
Kathi Kellenberger
Kathi Kellenberger
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1189 Visits: 342
Comments posted to this topic are about the content posted at http://www.sqlserv

Aunt Kathi
Linchpin People Teammate
SQL Server MVP
Author of
Expert T-SQL Window Functions
Steven.
Steven.
SSC Eights!
SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)SSC Eights! (925 reputation)

Group: General Forum Members
Points: 925 Visits: 247

I find that adding in the 'nt authority\system' account in (as an admin) prior to removing the builtin\admin stops a lot of the pain with 3rd party backup solutions etc.



Steven
Tatsu
Tatsu
Say Hey Kid
Say Hey Kid (690 reputation)Say Hey Kid (690 reputation)Say Hey Kid (690 reputation)Say Hey Kid (690 reputation)Say Hey Kid (690 reputation)Say Hey Kid (690 reputation)Say Hey Kid (690 reputation)Say Hey Kid (690 reputation)

Group: General Forum Members
Points: 690 Visits: 307

Here are some more gotchas. Some I have run into and some just came up when I searched for "Builtin Administrators" in the MS Knowledge Base with SQL Server 200 selected as the product.

PRB: SQL Server Full-Text Search Does Not Populate Catalogs
http://support.microsoft.com/default.aspx?scid=kb;en-us;317746

BUG: IsAlive check does not run under the context of the BUILTIN\Administrators account in SQL Server 2000 Enterprise Edition
http://support.microsoft.com/default.aspx?scid=kb;en-us;291255

Be especially careful on clusters. See the following article for more information on this topic in relation to clustered instances of SQL Server:

INF: How to impede Windows NT administrators from administering a clustered instance of SQL Server
http://support.microsoft.com/kb/263712/EN-US/

There were some other articles that came up in the search but I did not include the ones marked "FIX" or "INF" except for the one clustering article. Basically, make sure everything is working right before you remove this group account. That way, if anything breaks, you know exactly why. Then you can put the group back in and research the proper solution.



Bryant E. Byrd, BSSE MCDBA MCAD
Business Intelligence Administrator
MSBI Administration Blog
Mithrandir
Mithrandir
SSChasing Mays
SSChasing Mays (614 reputation)SSChasing Mays (614 reputation)SSChasing Mays (614 reputation)SSChasing Mays (614 reputation)SSChasing Mays (614 reputation)SSChasing Mays (614 reputation)SSChasing Mays (614 reputation)SSChasing Mays (614 reputation)

Group: General Forum Members
Points: 614 Visits: 184
Do you know where none of my 5 servers (SQL 2000 Std) have the "Via group membership" option in the login propierties screens?
Kathi Kellenberger
Kathi Kellenberger
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1189 Visits: 342

The "Via group membership" option disappeared after I changed the setting. I thought it was odd as well, but I was just glad the problem was solved!



Aunt Kathi
Linchpin People Teammate
SQL Server MVP
Author of Expert T-SQL Window Functions
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (10K reputation)

Group: Moderators
Points: 10478 Visits: 1917
Yup. Many configure their agent service to run as the local System account. Although truthfully there has always been an avenue to backup without the need for such rights (Backup Operators and now the user rights in the security policies) but few companies locked down their agents tight as a drum on the security side.

K. Brian Kelley
@‌kbriankelley
Bill Dillon
Bill Dillon
Forum Newbie
Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)

Group: General Forum Members
Points: 8 Visits: 1

Interesting article. Now that I accidently deleted the the BUILTIN/Admin, how can I add it back in?

Thanks for the help

Bill


K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (10K reputation)

Group: Moderators
Points: 10478 Visits: 1917
Log on as an account that is a sysadmin role member, such as the sa account, through Query Analyzer. Execute the following:

EXEC sp_grantlogin 'BUILTIN\Administrators'
EXEC sp_addsrvrolemember 'BUILTIN\Administrators', 'sysadmin'

K. Brian Kelley
@‌kbriankelley
P Jones
P Jones
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1251 Visits: 1517

I've made a point of removing it from new servers once SQL is installed and the service and agent startup accounts are properly set.

That way it is out before any databases (other than master etc) or users are created so they are created with the rights and logins they need.


currym
currym
SSC Journeyman
SSC Journeyman (89 reputation)SSC Journeyman (89 reputation)SSC Journeyman (89 reputation)SSC Journeyman (89 reputation)SSC Journeyman (89 reputation)SSC Journeyman (89 reputation)SSC Journeyman (89 reputation)SSC Journeyman (89 reputation)

Group: General Forum Members
Points: 89 Visits: 57

Interesting. Thanks for your comments, especially on the "Through Group Membership" issue.





Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search