Re: BUILTIN\Administrators

From: Anthony Thomas (ALThomas_at_kc.rr.com)
Date: 10/24/05

Next message: Geoff N. Hiten: "Re: Cannot change the database owner"

Previous message: Ken Schaefer: "Re: sa loginname being hacked"
In reply to: Tom Moreau: "Re: BUILTIN\Administrators"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 24 Oct 2005 07:44:50 -0500

You should follow Tom's suggestion, EVEN ON A CLUSTERED INSTANCE. You just
have to make sure the Cluster Service and SQL Server services accounts have
been granted access.

If you can not get away with actually removing the BUILTIN\Administrators
group, you can certainly remove the group login from the System
Administrators server role and remove it as a user from all databases.
Then, you can assign the login as a user in whatever databases you DO want
to them to have access to and for whatever permissions you want them
restricted to.

Sincerely,

Anthony Thomas

-- 
"Tom Moreau" <tom@dont.spam.me.cips.ca> wrote in message
news:eynSYDD2FHA.3204@TK2MSFTNGP14.phx.gbl...
> You can add "trusted" logins to the sysadmin role and then remove
> BUILTIN\Administrators from the sysadmin role (as long as you're not using
a
> clustered instance).  Only those people who should have access to the
> sensitive DB should be in the sysadmin role.  Anyone who is in the
sysadmin
> role has access to the entire SQL Server instance - including all DB's.
>
> -- 
>     Tom
>
> ----------------------------------------------------
> Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
> SQL Server MVP
> Columnist, SQL Server Professional
> Toronto, ON   Canada
> www.pinpub.com
>
> "Andy" <Andy@discussions.microsoft.com> wrote in message
> news:D366F47F-016C-408E-8D7B-D6C92DA613B7@microsoft.com...
> > Is there any way to deny access to BUILTIN\Administrators on just one
> > database.
> > Very highly confidential databse and want to deny the access to
> > BUILTIN\Administrators.
> >
> > Thanks
> > Andy
>
>

Next message: Geoff N. Hiten: "Re: Cannot change the database owner"

Previous message: Ken Schaefer: "Re: sa loginname being hacked"
In reply to: Tom Moreau: "Re: BUILTIN\Administrators"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: BUILTINAdministrators
... You can add "trusted" logins to the sysadmin role and then remove ... clustered instance). ... role has access to the entire SQL Server instance - including all DB's. ... > Is there any way to deny access to BUILTIN\Administrators on just one ...
(microsoft.public.sqlserver.security)
Re: Restricting Access priviledge on SQL2000
... You must have made the "Application-Administrators" members of the sysadmin role in SQL Server. ... Take them out of the sysadmin role, add them as users in the correct database, then make them members of the db_owner role in that database. ...
(microsoft.public.sqlserver.security)
Re: SQL2k5 local rights to use
... I suggest you to create service accounts for your SQL Server services and set these service accounts to your SQL Server services using SQL Server Configuration Manager. ... To be a System Administrator for your SQL Server instance, you can add your domain account to the "sysadmin" Server Fixed Role. ...
(microsoft.public.sqlserver.setup)
Re: Security Policy for MSSQL service account.
... service account on a clustered instance. ... Senior Database Administrator ... Microsoft SQL Server MVP ... but will the clustered instance still work? ...
(microsoft.public.sqlserver.clustering)
RE: Snapshot Agent runs, but merge agent will not start(never started)
... change the startup account of the SQL Server service to a Windows domain account. ... The SQL Server services and the SQL Server Agent services on the Publisher and on the Subscriber use security contexts of different Windows domains. ... Create a Windows domain user account on the Publisher and on the Subscriber that have identical user names and passwords. ...
(microsoft.public.sqlserver.replication)