Re: Restricting Access to BUILTIN\Administrators

From: Jens Süßmeyer (Jens_at_Remove_this_For_Contacting.sqlserver2005.de)
Date: 06/22/05

• Next message: Ramez: "securing mdf files"
• Previous message: BC DBA: "Restricting Access to BUILTIN\Administrators"
• In reply to: BC DBA: "Restricting Access to BUILTIN\Administrators"
• Next in thread: Alejandro Mesa: "RE: Restricting Access to BUILTIN\Administrators"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 22 Jun 2005 14:16:02 +0200

WHat about removing the domain administrators group from the system
administrators role, that´ll work. YOu can then add the SQL administrators
(your new windows group) to the system administrators role.

-- 
HTH, Jens Suessmeyer.
---
http://www.sqlserver2005.de
---
"BC DBA" <BCDBA@discussions.microsoft.com> schrieb im Newsbeitrag 
news:E7A2AE6A-971A-434C-B2B0-FC33419DA356@microsoft.com...
>I have a bunch of SQL servers (2000, and 7) that I inherited when I took 
>over
> as the DBA in my organisation. Due to decisions outside my control there 
> are
> a number of users that have been granted Domain Admin rights which
> automatically grants them sa privileges to the SQL Servers via
> BUILTIN\Administrators.
>
> Legislation requires us to restrict access to data to those individuals 
> that
> require access, so I need to prevent members of the Domain Administrators
> group access to the servers.
>
> What I thought I could do was to create another Domain Group say SQL 
> Server
> Administrators. Grant that the System Administrator role to the NT Group 
> and
> then Deny Login to the BUILTIN group. See the problem? If you are a member 
> of
> both accounts then you are denied access (Deny supercedes Grant).
>
> Next thought remove the BUILTIN group from the System Administrators Role
> and remove access to each of the databases on the server. Problem is that 
> it
> has database owner ticked for each database in EM and when I remove that I
> get the following
>
> Error 15405: Cannot use the reserved user or role name 'dbo'.
>
> Looking at one of the databases my domain user is the owner and there is 
> no
> other user so I don't think that changing the dbo for each of the 
> databases
> will help. Anyone any other ideas (I have thought about removing the users
> from the Domain Admins group but I would upset a lot of people)
>
> -- 
> Regards
>
> Tony 

---

• Next message: Ramez: "securing mdf files"
• Previous message: BC DBA: "Restricting Access to BUILTIN\Administrators"
• In reply to: BC DBA: "Restricting Access to BUILTIN\Administrators"
• Next in thread: Alejandro Mesa: "RE: Restricting Access to BUILTIN\Administrators"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2005-06