Re: Remove/Add BUILTIN\Administrators 2000 sp4

Thanks for you reply, but..
That is not precisely correct. That is acutally a Windows Group, not a
login. And they have permission by default only because this windows group is
by default a member of the SQL Server Role "System Administrator".

The original question was, when I delete and recreate this group in SQL
Server, it some how knows that on this server, it use to be the dbo in all
the databases, and so it makes it dbo on all databases again. Something I am
trying to prevent.. On other servers, it is not dbo and
BUILTIN\Administrators has no access to anything, which is my goal.
I already did a sp_changedbowner in all the databases to sa and that
succeeded. Yet I can not remove BUILTIN\Administators as dbo to the
databases, even when I delete and recreate BUILTIN\Administrators.

Any other ideas would be appreciated.


"Uri Dimant" wrote:

DBA449
How does it know that? Where is this information stored?

select loginname from master..syslogins

By default all members of Administrators Group have an access to SQL Server
via this LOGIN

http://vyaskn.tripod.com/sql_server_security_best_practices.htm --------security
best practices





























"DBA449" <DBA449@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3DD8C090-FD3B-48B8-A4E5-9D6BCE4CCED5@xxxxxxxxxxxxxxxx
When I delete the BUILTIN\Administrators login and then re-add it. I get
the
message from Enterprise Manager. "It has been detected that this login has
permissions in specific database(s) - the login will have access to these
databases now. "

How does it know that? Where is this information stored?

My motivation for doing this is that I need to remove access of
BUILTIN\Administrators from all user databases. It is currently mapped to
dbo
in all the user databases. When I attempt to remove BUILTIN\
Administrators
from the dbo role, I get "Can not use the reserved word user or role name
'dbo'.

I already succeeded in changing the dbo for all user databases using
sp_changedbowner to sa. I've also have already searched all new groups for
a
solution. But all of them with a similiar problem end with, "try
sp_changedbowner..."



.

Relevant Pages

  • Re: Two DB Owners
    ... full permissions in all databases. ... Note that the user will still be known as the 'dbo' user as long as the ... I need to add the login 'BUILTIN\Administrators' ... > 'DYNGRP' and 'BFGROUP' roles of the Dynamics and DAVCatalog databases. ...
    (microsoft.public.sqlserver.security)
  • Re: Remove/Add BUILTINAdministrators 2000 sp4
    ... I have seen a windows group referred to as a LOGIN for sql server in the ... the databases, and so it makes it dbo on all databases again. ...
    (microsoft.public.sqlserver.security)
  • Re: Remove/Add BUILTINAdministrators 2000 sp4
    ... detected that this login has permissions....etc this login ... be mapped to dbo. ... sysusers in the user databases and syslogins in master. ... I have seen a windows group referred to as a LOGIN for sql server in the ...
    (microsoft.public.sqlserver.security)
  • Re: Remove/Add BUILTINAdministrators 2000 sp4
    ... any of the databases. ... exist anywhere in sql server either. ... detected that this login has permissions....etc this login ... be mapped to dbo. ...
    (microsoft.public.sqlserver.security)
  • Re: Remove/Add BUILTINAdministrators 2000 sp4
    ... any of the databases. ... exist anywhere in sql server either. ... detected that this login has permissions....etc this login ... be mapped to dbo. ...
    (microsoft.public.sqlserver.security)