If it's a cluster and you're connecting from a cluster node, only expect NTLM.

Otherwise, make sure that your clients are connecting to SQL Server based on the name you specified...

Ah, also, you're querying the wrong info. You want to do a -L against the service account. The SPN will belong under the service account.

It does potentially take time. It gets written to one DC and then must be replicated. If the DC you wrote to and the DC you query aren't the same,...

I would keep the service account(s) and the DBAs separate. SQL Server, if you use SQL Server Configuration Manager to manage the service accounts (the only supported way, BTW), will...

I would cease and desist with sp_helprotect if you're managing anything beyond SQL Server 2000.

You're wanting to look at the following catalog views and tie them together appropriately:

- sys.database_permissions

- sys.database_principals

-...

mstjean (11/10/2011)

FIRST QUESTION: is this the "last word" on minimizing Domain Admin permissions? If not, should I be looking at something else?

My environment: We're running SQL2005 EE, several of which...

If you want to cover them all and you have SQL Server 2005 and higher as your SQL Server version, then GRANT EXECUTE against the appropriate schema (usually dbo). For...

Your best bet is going to be a server side trace. You can use Profiler to build the trace. It's the only way to capture what all is being done....

Sean, that query is 2005 and above. 🙂

For 2000:

SELECT [name]

FROM syslogins

WHERE denylogin = 1

OR hasaccess = 0;

As for your second question, SQL Server doesn't track last...

Yes, but it requires one of the following:

- All users have the ability to CREATE SYMMETRIC KEY in the database.

- You create a stored procedure with an EXECUTE AS clause...

A lot of reasons could cause this. Are you seeing anything in the security event log at the OS level? Do you know what kind of group it is (domain...

It probably means the database was created as that windows user. Check the owner of the database.

I'm talking about ALTER on the db_datareader and db_datawriter schemas. There shouldn't be anything in them. Therefore, that set of permissions is unnecessary. I understand the general ALTER. However, realize...

1. Granting the ALTER to the schemas in question doesn't do anything. You really shouldn't change that.

2. Nothing in these permissions grants CREATE. Likely there are other permissions at play....

These are services. As a result, any account with the permission to stop and start services can stop and start these. That requires either Power User or Administrator group membership...