Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / October 2005

Tip: Looking for answers? Try searching our database.

BUILTIN\Administrators

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Andy - 24 Oct 2005 01:05 GMT
Is there any way to deny access to BUILTIN\Administrators on just one database.
Very highly confidential databse and want to deny the access to
BUILTIN\Administrators.

Thanks
Andy
Reply to this Message
Tom Moreau - 24 Oct 2005 01:20 GMT
You can add "trusted" logins to the sysadmin role and then remove
BUILTIN\Administrators from the sysadmin role (as long as you're not using a
clustered instance).  Only those people who should have access to the
sensitive DB should be in the sysadmin role.  Anyone who is in the sysadmin
role has access to the entire SQL Server instance - including all DB's.

Signature

   Tom

----------------------------------------------------
Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
SQL Server MVP
Columnist, SQL Server Professional
Toronto, ON   Canada
www.pinpub.com

> Is there any way to deny access to BUILTIN\Administrators on just one
> database.
[quoted text clipped - 3 lines]
> Thanks
> Andy
Reply to this Message
Anthony Thomas - 24 Oct 2005 13:44 GMT
You should follow Tom's suggestion, EVEN ON A CLUSTERED INSTANCE.  You just
have to make sure the Cluster Service and SQL Server services accounts have
been granted access.

If you can not get away with actually removing the BUILTIN\Administrators
group, you can certainly remove the group login from the System
Administrators server role and remove it as a user from all databases.
Then, you can assign the login as a user in whatever databases you DO want
to them to have access to and for whatever permissions you want them
restricted to.

Sincerely,

Anthony Thomas

> You can add "trusted" logins to the sysadmin role and then remove
> BUILTIN\Administrators from the sysadmin role (as long as you're not using a
[quoted text clipped - 9 lines]
> > Thanks
> > Andy
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.