Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


sa removal


sa removal

Author
Message
mobasha
mobasha
Right there with Babe
Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)

Group: General Forum Members
Points: 714 Visits: 1284
hi all.
am on a production server and i want ton role. know what i can do in order to make the sa login without any power.
i know that i can disable the account, but it must by some thing more i can do, like remove it from the sysadmin role using some work around but i cant find out how.
any one have any good ideas.??

..>>..

MobashA
Jeff Moden
Jeff Moden
SSC-Forever
SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)

Group: General Forum Members
Points: 44992 Visits: 39878
It's easy... don't try to remove the SA login... just change the password and don't give it out to anyone, ever...

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
     Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
Although they tell us that they want it real bad, our primary goal is to ensure that we dont actually give it to them that way.
Although change is inevitable, change for the better is not.
Just because you can do something in PowerShell, doesnt mean you should. Wink

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
mobasha
mobasha
Right there with Babe
Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)

Group: General Forum Members
Points: 714 Visits: 1284
yes i can do so, the case is am new in the company and every one used to use the sa for any thing even select statements, when i ask some one what he want to do in order to give him the needed priv he said he want the sa (the general manager), but if i get rid of the sa so no one will ask for it..

..>>..

MobashA
Jeff Moden
Jeff Moden
SSC-Forever
SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)

Group: General Forum Members
Points: 44992 Visits: 39878
If you simply rip the SA rug out from under them, you'll make a lot of enemies... you need to get management to buy into a good security plan where folks have read access and they have a "reporting" database (sandbox, really), where they can play to their little hearts content. We have one that is "restored" every four hours from the production box. There's a separate "work" database where folks can store their favorite queries without them being overwritten every four hours. That way, they can have a login with "SA" privs without taking the chance on blowing production out of the water.

It'll take you 3 or 4 months to convince management of such a thing, but it's well worth it... makes everyone happy.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
     Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
Although they tell us that they want it real bad, our primary goal is to ensure that we dont actually give it to them that way.
Although change is inevitable, change for the better is not.
Just because you can do something in PowerShell, doesnt mean you should. Wink

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
mobasha
mobasha
Right there with Babe
Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)

Group: General Forum Members
Points: 714 Visits: 1284
i have already convienced them to remove the sa, but still may some one ask for it as he knows that sa is the most powerfull user, so i dont want top give him a chance.

..>>..

MobashA
Jeff Moden
Jeff Moden
SSC-Forever
SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)

Group: General Forum Members
Points: 44992 Visits: 39878
I can't get over the gut feeling that it's a bad idea, but here goes...

First, make sure that some other user, preferably some DBA (yourself?) has SA privs.

Second, open SSMS and click on {View}{Object Explorer}. Expand {security} and then {logins}. Double click on SA and a new window will open. Click on {server roles}. Find the {sysadmin} role and deselect it. Click {OK}.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
     Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
Although they tell us that they want it real bad, our primary goal is to ensure that we dont actually give it to them that way.
Although change is inevitable, change for the better is not.
Just because you can do something in PowerShell, doesnt mean you should. Wink

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
GilaMonster
GilaMonster
SSC-Forever
SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)

Group: General Forum Members
Points: 47187 Visits: 44356
You can disable the sa account. On SQL 2005, you can also rename it if you like (and create a new login named sa with any permissions you like), however you cannot modify the original sa login.

If you try to remove it from the sysadmin group, you get an error:
Error 15405
Drop member failed for ServerRole 'sysadmin'
Cannot use the special principal 'sa'

You can rename from object explorer in management studio. Right click the login and choose 'rename'


Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


GilaMonster
GilaMonster
SSC-Forever
SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)

Group: General Forum Members
Points: 47187 Visits: 44356
mobasha (5/25/2008)
i have already convienced them to remove the sa, but still may some one ask for it as he knows that sa is the most powerfull user, so i dont want top give him a chance.


Tell him 'No'. Tell him that handing out the sa password is against your security policies (if it's not, it should be)

You're looking for a technological solution to a non-technological problem


Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


mobasha
mobasha
Right there with Babe
Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)Right there with Babe (714 reputation)

Group: General Forum Members
Points: 714 Visits: 1284
it would be like this:
he ask for sa i say i have no such login, tell me what u want and i will provide u with a user to do what u need.
end of sotry.
u know am not the only DBA, but soon i will, so i cant disable the sa out of blow or keep the password just for my self, i need time before say no.

..>>..

MobashA
Jeff Moden
Jeff Moden
SSC-Forever
SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)SSC-Forever (44K reputation)

Group: General Forum Members
Points: 44992 Visits: 39878
mobasha (5/26/2008)
it would be like this:
he ask for sa i say i have no such login, tell me what u want and i will provide u with a user to do what u need.
end of sotry.
u know am not the only DBA, but soon i will, so i cant disable the sa out of blow or keep the password just for my self, i need time before say no.


That's what you get for "lying"... the real fact is the SA login exists... muster up your courage, get full management support, and start telling people "NO", they can't have the SA password. Doing what you said...

"tell me what u want and i will provide u with a user to do what u need."

... should be prefaced with "Management says no one but DBA's get's the SA password, however, tell me what u want and i will provide u with a user to do what u need." is the best way to go.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
     Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
Although they tell us that they want it real bad, our primary goal is to ensure that we dont actually give it to them that way.
Although change is inevitable, change for the better is not.
Just because you can do something in PowerShell, doesnt mean you should. Wink

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search