Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / June 2005

Tip: Looking for answers? Try searching our database.

Restricting Access to BUILTIN\Administrators

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
BC DBA - 22 Jun 2005 12:36 GMT
I have a bunch of SQL servers (2000, and 7) that I inherited when I took over
as the DBA in my organisation. Due to decisions outside my control there are
a number of users that have been granted Domain Admin rights which
automatically grants them sa privileges to the SQL Servers via
BUILTIN\Administrators.

Legislation requires us to restrict access to data to those individuals that
require access, so I need to prevent members of the Domain Administrators
group access to the servers.

What I thought I could do was to create another Domain Group say SQL Server
Administrators. Grant that the System Administrator role to the NT Group and
then Deny Login to the BUILTIN group. See the problem? If you are a member of
both accounts then you are denied access (Deny supercedes Grant).

Next thought remove the BUILTIN group from the System Administrators Role
and remove access to each of the databases on the server. Problem is that it
has database owner ticked for each database in EM and when I remove that I
get the following

Error 15405: Cannot use the reserved user or role name 'dbo'.

Looking at one of the databases my domain user is the owner and there is no
other user so I don't think that changing the dbo for each of the databases
will help. Anyone any other ideas (I have thought about removing the users
from the Domain Admins group but I would upset a lot of people)

Signature

Regards

Tony

Reply to this Message
Jens Süßmeyer - 22 Jun 2005 13:16 GMT
WHat about removing the domain administrators group from the system
administrators role, that´ll work. YOu can then add the SQL administrators
(your new windows group) to the system administrators role.

Signature

HTH, Jens Suessmeyer.

---
http://www.sqlserver2005.de
---

>I have a bunch of SQL servers (2000, and 7) that I inherited when I took
>over
[quoted text clipped - 31 lines]
> will help. Anyone any other ideas (I have thought about removing the users
> from the Domain Admins group but I would upset a lot of people)
Reply to this Message
Alejandro Mesa - 22 Jun 2005 15:53 GMT
See if this helps:

SQL Server Security: Security Admin
http://www.sqlservercentral.com/columnists/bkelley/sqlserversecuritysecurityadmi
ns.asp

Removing the Builtin Administrators - Some Pitfalls to Avoi
http://www.sqlservercentral.com/columnists/kKellenberger/removingthebuiltinadmin
istratorssomepitfallstoavoi.asp

AMB

> I have a bunch of SQL servers (2000, and 7) that I inherited when I took over
> as the DBA in my organisation. Due to decisions outside my control there are
[quoted text clipped - 22 lines]
> will help. Anyone any other ideas (I have thought about removing the users
> from the Domain Admins group but I would upset a lot of people)
Reply to this Message
BC DBA - 23 Jun 2005 09:57 GMT
Thank You Alejandro,

Absolutely cracking articles, and just what I was looking for.

Now all I have do do is to work up the courage to do it :)

Signature

Regards

Tony

> See if this helps:
>
[quoted text clipped - 3 lines]
> Removing the Builtin Administrators - Some Pitfalls to Avoid
> http://www.sqlservercentral.com/columnists/kKellenberger/removingthebuiltinadmin
istratorssomepitfallstoavoi.asp

> AMB
Reply to this Message
Mark J. McGinty - 22 Jun 2005 17:00 GMT
> Next thought remove the BUILTIN group from the System Administrators Role
> and remove access to each of the databases on the server. Problem is that
[quoted text clipped - 3 lines]
>
> Error 15405: Cannot use the reserved user or role name 'dbo'.

You need to change the database owner (by calling sp_changedbowner) for each
database first, then remove the builtin group from the sysadmin role.

> Looking at one of the databases my domain user is the owner and there is
> no
> other user so I don't think that changing the dbo for each of the
> databases
> will help.

If the domain user in this case is one of the ones for which you want to
restrict SQL access, this change will do that, they won't have access
anymore.  If the domain user is one that will be added to the SQL admin
group, access will be granted via role membership, so no harm no foul.

Be sure that the default db is valid for the ones that will have access,
because if it isn't they won't be able to login -- master is always a safe
choice.

-Mark
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.