Restricting Access to BUILTIN\Administrators
From: BC DBA (BCDBA_at_discussions.microsoft.com)
Date: 06/22/05
- Next message: Jens Süßmeyer: "Re: Restricting Access to BUILTIN\Administrators"
- Previous message: LvBohemian: "Re: SQLServerAgent Service"
- Next in thread: Jens Süßmeyer: "Re: Restricting Access to BUILTIN\Administrators"
- Reply: Jens Süßmeyer: "Re: Restricting Access to BUILTIN\Administrators"
- Reply: Alejandro Mesa: "RE: Restricting Access to BUILTIN\Administrators"
- Reply: Mark J. McGinty: "Re: Restricting Access to BUILTIN\Administrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 Jun 2005 04:36:05 -0700
I have a bunch of SQL servers (2000, and 7) that I inherited when I took over
as the DBA in my organisation. Due to decisions outside my control there are
a number of users that have been granted Domain Admin rights which
automatically grants them sa privileges to the SQL Servers via
BUILTIN\Administrators.
Legislation requires us to restrict access to data to those individuals that
require access, so I need to prevent members of the Domain Administrators
group access to the servers.
What I thought I could do was to create another Domain Group say SQL Server
Administrators. Grant that the System Administrator role to the NT Group and
then Deny Login to the BUILTIN group. See the problem? If you are a member of
both accounts then you are denied access (Deny supercedes Grant).
Next thought remove the BUILTIN group from the System Administrators Role
and remove access to each of the databases on the server. Problem is that it
has database owner ticked for each database in EM and when I remove that I
get the following
Error 15405: Cannot use the reserved user or role name 'dbo'.
Looking at one of the databases my domain user is the owner and there is no
other user so I don't think that changing the dbo for each of the databases
will help. Anyone any other ideas (I have thought about removing the users
from the Domain Admins group but I would upset a lot of people)
-- Regards Tony
- Next message: Jens Süßmeyer: "Re: Restricting Access to BUILTIN\Administrators"
- Previous message: LvBohemian: "Re: SQLServerAgent Service"
- Next in thread: Jens Süßmeyer: "Re: Restricting Access to BUILTIN\Administrators"
- Reply: Jens Süßmeyer: "Re: Restricting Access to BUILTIN\Administrators"
- Reply: Alejandro Mesa: "RE: Restricting Access to BUILTIN\Administrators"
- Reply: Mark J. McGinty: "Re: Restricting Access to BUILTIN\Administrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
