Re: BuiltinAdministrator's not SysAdmin yet appear to have DBO on all

From: Sue Hoegemeier (Sue_H_at_nomail.please)
Date: 01/24/05 

Date: Mon, 24 Jan 2005 14:03:59 -0700

No...that's not what would typically happen if you remove
the Builtin\administrators group.
I'm guessing that you mean that the local admins appear to
have db_owner role permissions DBO and db_owner are
different things. DBO is a user and db_owner is a database
role. Users can be members of db_owner fixed database role
which gives them all permissions in the database.
I'm not sure why you think the local admins on the server
have db_owner permissions but one thing to keep in mind is
that permissions are cumulative based upon the users
explicit permissions as well as those inherited from group
membership (Windows groups as well as the server and
database groups).

-Sue

On Sun, 23 Jan 2005 06:33:03 -0800, "DBADave"
<DBADave@discussions.microsoft.com> wrote:

>Hi All,
>
>I have revoked the BUILTIN\Administrators group membership in the SysAdmin
>group of a SQL 2000 server and instead granted the group Process
>Admoinistrators and Disk Administrators permissions. When I browse
>permissions for the BUILTIN\Administrators group in EM, I see the proper
>Server Roles are defined as noted above, however this group appears to have
>DBO permissions to all databases on the server, even though those databases
>were created by SA. In checking several of my SQL servers I am also seeing
>the same thing on each server. Have people seen this before? This would
>imply that the Local Admins to the box stil have dbo to all of the databases,
>but they were never granted this permission. Is this just in incorrect
>representation within EM?
>
>Thanks,
>Dave

Relevant Pages

  • RE: copy permissions from one user to another?
    ... THIS STORED PROCEDURE GENERATES COMMANDS ... -- ADD USER TO SERVER ... -- CREATE TABLE TO HOLD LIST OF USERS IN CURRENT DATABASE ... -- SET COMMAND TO FIND USER PERMISSIONS HAS IN CURRENT DATABASE ...
    (microsoft.public.sqlserver.security)
  • Re: Effective Permissions Error with Domain User
    ... I set the database compatibility to 2005. ... server profile trace and found that it was calling the Execute As User. ... This leads me to believe it is some sort of permissions issue. ... Did you get these database from SQL Server 2000 by using a RESTORE command? ...
    (microsoft.public.sqlserver.security)
  • Re: How to prevent DELETEs in a table
    ... It is the dbo database USER, not server-level groups, that determins ... It has implicit permissions that can not be denied. ... SQL Server just skips any permission validation for sysadmins. ...
    (microsoft.public.sqlserver.server)
  • Re: Disable Sysadmin to view metadata in SQL2005
    ... you are looking for a DRM solution for your database. ... Server does not provide such a solution. ... SQL Server Engine ... If the permissions are not granular ...
    (microsoft.public.sqlserver.security)
  • Re: Table permissions: No matter what I set all users have full access?
    ... I have created a new Windows user the ... logged on to another PC as that user and can still access the database with ... The new user does not have a login on the server and is ... I even created a login for the user and denied SELECT permissions on various ...
    (microsoft.public.access.adp.sqlserver)