Windows non-Admin user and file permissions
- From: "Bill Blakey" <bill.blakey@xxxxxxxx>
- Date: Wed, 12 Jul 2006 12:16:33 -0700
Scenario:
a) using local SQL Server Express SP1 instance
b) logged into Windows as a local user who does NOT belong to the Local
Administrators group (BUILTIN\Admin) - just belongs to the "Users" Windows
Group.
c) using SQL standard security, connect to the local Express instance as
'sa'
d) issue a CREATE DATABASE statement specifying the .mdf/.ldf file on my
local "My Documents" folder
e) issue an sp_detach_db command which successfully detaches the database
Issue:
When that user goes out to his "My Documents" folder using Windows Explorer,
the database files (.mdf/.ldf) CANNOT be deleted.. In fact, when viewing
the Properties of these files, there is no "Security" tab!
The user wants to delete those files. How?
The file security behavior appears new for SQL 2005 and is by-design. Some
of the Books Online snippets I found included:
"The SQL Server 2005 Database Engine sets file access permissions on the
physical data and log files of each database to specific accounts. The
permissions prevent the files from being tampered with should they reside in
a directory that has open permissions."
"When a database is created, or modified to add a new file, the MSSQLSERVER
service account and members of the local Administrators group are granted
Full Control access on the data and log files. File access is removed for
all other accounts."
--
Bill
.
- Follow-Ups:
- Re: Windows non-Admin user and file permissions
- From: David Browne
- Re: Windows non-Admin user and file permissions
- Prev by Date: revoke all access for public
- Next by Date: Re: Changing SA Password in SQL 2005
- Previous by thread: revoke all access for public
- Next by thread: Re: Windows non-Admin user and file permissions
- Index(es):
Relevant Pages
|
|
