RE: Restricting Access to BUILTIN\Administrators
From: Alejandro Mesa (AlejandroMesa_at_discussions.microsoft.com)
Date: 06/22/05
- Next message: Hari Prasad: "Re: securing mdf files"
- Previous message: Ramez: "securing mdf files"
- In reply to: BC DBA: "Restricting Access to BUILTIN\Administrators"
- Next in thread: BC DBA: "RE: Restricting Access to BUILTIN\Administrators"
- Reply: BC DBA: "RE: Restricting Access to BUILTIN\Administrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 Jun 2005 07:53:40 -0700
See if this helps:
SQL Server Security: Security Admins
http://www.sqlservercentral.com/columnists/bkelley/sqlserversecuritysecurityadmins.asp
Removing the Builtin Administrators - Some Pitfalls to Avoid
http://www.sqlservercentral.com/columnists/kKellenberger/removingthebuiltinadministratorssomepitfallstoavoi.asp
AMB
"BC DBA" wrote:
> I have a bunch of SQL servers (2000, and 7) that I inherited when I took over
> as the DBA in my organisation. Due to decisions outside my control there are
> a number of users that have been granted Domain Admin rights which
> automatically grants them sa privileges to the SQL Servers via
> BUILTIN\Administrators.
>
> Legislation requires us to restrict access to data to those individuals that
> require access, so I need to prevent members of the Domain Administrators
> group access to the servers.
>
> What I thought I could do was to create another Domain Group say SQL Server
> Administrators. Grant that the System Administrator role to the NT Group and
> then Deny Login to the BUILTIN group. See the problem? If you are a member of
> both accounts then you are denied access (Deny supercedes Grant).
>
> Next thought remove the BUILTIN group from the System Administrators Role
> and remove access to each of the databases on the server. Problem is that it
> has database owner ticked for each database in EM and when I remove that I
> get the following
>
> Error 15405: Cannot use the reserved user or role name 'dbo'.
>
> Looking at one of the databases my domain user is the owner and there is no
> other user so I don't think that changing the dbo for each of the databases
> will help. Anyone any other ideas (I have thought about removing the users
> from the Domain Admins group but I would upset a lot of people)
>
> --
> Regards
>
> Tony
- Next message: Hari Prasad: "Re: securing mdf files"
- Previous message: Ramez: "securing mdf files"
- In reply to: BC DBA: "Restricting Access to BUILTIN\Administrators"
- Next in thread: BC DBA: "RE: Restricting Access to BUILTIN\Administrators"
- Reply: BC DBA: "RE: Restricting Access to BUILTIN\Administrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
