Re: sql admin rights question

From: Joseph MCAD (
Date: 04/12/05

Date: Mon, 11 Apr 2005 18:26:39 -0700

April 11, 2005

   You need to be able to Deny the admin, however, and therefore should Not
be a sysadmin. You should stick with DB_Admin. HTH :-)

                                                      Joseph MCAD

"Sue Hoegemeier" <Sue_H@nomail.please> wrote in message
> If they need admin rights to the entire server then they
> need to be a member of the sysadmin role. Any Deny does not
> apply to a sysadmin. Permissions are cumulative with deny
> taking precedence but a sysadmin bypasses all of this.
> -Sue
> On Mon, 11 Apr 2005 18:09:35 -0400, "Keith G Hicks"
> <> wrote:
>>Yes. This is very helpful. I just found "Denying Permissions" in B.O.L.
>>Thank you.
>>"Joseph MCAD" <> wrote in message
>>April 11, 2005
>> Yes. You can grant the user the DB_Admin (hopefully that is the
>> correct
>>admin role) role and then goto the specific database and then put a Deny
>>in for the user. This will grant the user overall admin rights, but since
>>Deny ACEs have precedence over allows, the user will not be able to access
>>your database. I hope this helps! :-)
>> Joseph MCAD

Relevant Pages

  • Re: MMC - admin locked out too
    ... just use the Deny trick to exempt ... from an admin account before it can edit policy, ... > Limit access to Regedit, MMC, command line, etc. & ... > restrict such items to Administrators only. ...
  • Re: deleting users my document folders after disabling redirection
    ... Kinda like the modern day 'logon locally, or deny logon localy", eh. ... that changing ownership is a right that could be taken away from ... Logging in as administrator and following your directions I still ... Why would my system admin account be restricted? ...
  • Re: Windows 2000 - Local policy - deny logon loccaly
    ... Map the Admin$ or C$ share as an admin, then set a Deny ... of Full for Administrators on system32\GroupPolicy in the ... > Local policy settings -- deny logon locally. ...
  • Re: ***Admin LockedOut of GPEDIT.MSC***
    ... access the NTFS security dialog for system32\GroupPolicy ... set a Deny of Full Control for Administrators on this folder ... log back in as an admin ...
  • Re: PLEASE HELP - USENET/Proxy Security Question
    ... >ability to monitor that traffic. ... sysadmin may be mistaken as to the source of the traffic unless ... >admin might allow you to believe your honeypot fantasies just to let you ... successfully defeat corporate security. ...