Re: Two DB Owners

From: Bill Cheng (billchng_at_online.microsoft.com)
Date: 06/10/03


Date: Tue, 10 Jun 2003 13:11:51 GMT


Hi Joshua,

I am not sure what effect you want to achieve. However, if you want to
impede Microsoft Windows NT system administrators from having system
administrator (sa) privileges in SQL Server, you may check the following
article.
263712 INF: How to Impede Windows NT Administrators from Administering a
http://support.microsoft.com/?id=263712

295034 FIX: Microsoft Search Service May Cause 100% CPU Usage if
http://support.microsoft.com/?id=295034

This posting is provided "AS IS" with no warranties, and confers no rights.

Regards,
  
Bill Cheng
Microsoft Support Engineer
--------------------
| From: "Joshua A. Booker" <joshuaabookerhot@mail.com>
| References: <umBQacrLDHA.2052@TK2MSFTNGP11.phx.gbl>
<uAwLS8rLDHA.3144@tk2msftngp13.phx.gbl>
| Subject: Re: Two DB Owners
| Date: Mon, 9 Jun 2003 15:55:47 -0400
| Lines: 47
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| Message-ID: <#oMqPHsLDHA.1960@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.sqlserver.security
| NNTP-Posting-Host: me-rockland-qs-19.mint.adelphia.net 216.227.148.19
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.sqlserver.security:13857
| X-Tomcat-NG: microsoft.public.sqlserver.security
|
| Steve,
|
| I need to add the BUILTIN\Administrators login to certain roles in a
| database. Because it's set to use the 'dbo' user in this database, I get
| the message '15405 can't use reserved user 'dbo' when I try to permit the
| role. For this reason, I'd like to remove all permissions from the admins
| group so it will not use 'dbo' user. When I remove the login it doesn't
| remove the permissions that point to user 'dbo' for this login. How do I
| permit the login to use a role if the login points to the reserved user
| 'dbo'?
|
| TIA,
| Josh
|
|
| "Steve Thompson" <SteveThompson@nomail.please> wrote in message
| news:uAwLS8rLDHA.3144@tk2msftngp13.phx.gbl...
| > "Joshua A. Booker" <joshuaabookerhot@mail.com> wrote in message
| > news:umBQacrLDHA.2052@TK2MSFTNGP11.phx.gbl...
| > > I have two dbowners in each database. I would like sa to be the only
db
| > > owner, but the 'BUILTIN\Administrators' login has permiaaions as user
| > 'dbo'
| > > for every database. I have dropped the 'BUILTIN\Administrators'
login,
| > and
| > > run the sp_change_dbowner stored procedure, but somewhere permissions
| > > remain for the Administrators group. When I re-add the login, it says
| 'It
| > > has been detected that this login has permissions in specific
| > databases...'
| > > Then it gives the login permissions as 'dbo' to each database. How
do I
| > > drop all permissions for 'BUILTIN\Administrators'?
| >
| > It's not necessary to drop all permissions for the
| 'BUILTIN\Administrators'
| > group. Once you delete that group, you effectively prevent anyone who
has
| > Administrative rights on your server from having sa equivalence on your
| SQL
| > Server.
| >
| > As you've discovered, you can add the 'BUILTIN\Administrators' group
back
| > in, that's by design.
| >
| > Steve
| >
| >
|
|
|



Relevant Pages

  • RE: RIS/RIPREP Image problem with Dell Poweredge 2950 - W2k3 SP2
    ... Administrators = Full Control ... After the permissions are reset, ... Microsoft Global Technical Support Center ...
    (microsoft.public.windows.server.setup)
  • Re: Two DB Owners
    ... I need to add the login 'BUILTIN\Administrators' to the ... user 'dbo' for all databases. ... > impede Microsoft Windows NT system administrators from having system ... I'd like to remove all permissions from the ...
    (microsoft.public.sqlserver.security)
  • Re: Login Script not running on certain machines - RESOLVED
    ... >> administrators run the script. ... I just had to tweak the permissions of the folder ...
    (microsoft.public.windows.server.scripting)
  • RE: multi user messageing software - but not e-mail
    ... The Live Messsenger can login itself, never mind whether you log on domain. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: [Full-disclosure] Steve Gibson smokes crack?
    ... about the bug for a long time and made a concious decision not to patch it even though they knew it could lead to a system compromise. ... People commented on how Microsoft put out a patch quicker than they ... This is their history going back to before they purchased IE, and something that became really evident when they first began rebuilding Mosaic. ... When NT came out and Microsoft moved from producing OS' that were not network ready out of the box and toy-like GUI infrastructures, the impacts of that strategy were transposed onto administrators and users alike. ...
    (Full-Disclosure)