Re: sql admin rights question

From: Joseph MCAD (anonymous_at_microsoft.discussions.com)
Date: 04/12/05


Date: Mon, 11 Apr 2005 18:26:39 -0700

April 11, 2005

   You need to be able to Deny the admin, however, and therefore should Not
be a sysadmin. You should stick with DB_Admin. HTH :-)

                                                      Joseph MCAD

"Sue Hoegemeier" <Sue_H@nomail.please> wrote in message
news:en6m51tjq0evv9r41jogghfl93auuq531i@4ax.com...
> If they need admin rights to the entire server then they
> need to be a member of the sysadmin role. Any Deny does not
> apply to a sysadmin. Permissions are cumulative with deny
> taking precedence but a sysadmin bypasses all of this.
>
> -Sue
>
> On Mon, 11 Apr 2005 18:09:35 -0400, "Keith G Hicks"
> <krh@comcast.net> wrote:
>
>>Yes. This is very helpful. I just found "Denying Permissions" in B.O.L.
>>Thank you.
>>
>>Keith
>>
>>"Joseph MCAD" <anonymous@microsoft.discussions.com> wrote in message
>>news:e4KjIztPFHA.3704@TK2MSFTNGP12.phx.gbl...
>>April 11, 2005
>>
>> Yes. You can grant the user the DB_Admin (hopefully that is the
>> correct
>>admin role) role and then goto the specific database and then put a Deny
>>ACE
>>in for the user. This will grant the user overall admin rights, but since
>>Deny ACEs have precedence over allows, the user will not be able to access
>>your database. I hope this helps! :-)
>>
>> Joseph MCAD
>>
>>
>>
>>
>



Relevant Pages

  • Re: MMC - admin locked out too
    ... just use the Deny trick to exempt ... from an admin account before it can edit policy, ... > Limit access to Regedit, MMC, command line, etc. & ... > restrict such items to Administrators only. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: deleting users my document folders after disabling redirection
    ... Kinda like the modern day 'logon locally, or deny logon localy", eh. ... that changing ownership is a right that could be taken away from ... Logging in as administrator and following your directions I still ... Why would my system admin account be restricted? ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows 2000 - Local policy - deny logon loccaly
    ... Map the Admin$ or C$ share as an admin, then set a Deny ... of Full for Administrators on system32\GroupPolicy in the ... > Local policy settings -- deny logon locally. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ***Admin LockedOut of GPEDIT.MSC***
    ... access the NTFS security dialog for system32\GroupPolicy ... set a Deny of Full Control for Administrators on this folder ... log back in as an admin ...
    (microsoft.public.windowsxp.security_admin)
  • Re: PLEASE HELP - USENET/Proxy Security Question
    ... >ability to monitor that traffic. ... sysadmin may be mistaken as to the source of the traffic unless ... >admin might allow you to believe your honeypot fantasies just to let you ... successfully defeat corporate security. ...
    (alt.computer.security)