Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
builtin\administrators
- Thread starter Bell1991
- Start date
mrdenny
Programmer
- May 27, 2002
- 11,595
It can be removed, I have removed it from all of our servers. There are some things you'll want to check before removing it.
1. Make sure that the account that runs the SQL Service has sysadmin rights.
2. Make sure that the DBAs (either by group or by name) are listed specifically and have sysadmin access.
3. If you are using the full text search you'll need to grant the "NT AUTHORITY\SYSTEM" sysadmin rights. This must be done via sp_grantlogin, it can not be done via Enterprise Manager.
4. If the SQL Agent runs under a different account than the SQL Server make sure that account has the rights that it needs.
Once you've done these things you should be able to safely remove the BUILTIN\Administrators.
Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)
--Anything is possible. All it takes is a little research. (Me)
![[noevil]](/data/assets/smilies/noevil.gif "[noevil] [noevil]")
1. Make sure that the account that runs the SQL Service has sysadmin rights.
2. Make sure that the DBAs (either by group or by name) are listed specifically and have sysadmin access.
3. If you are using the full text search you'll need to grant the "NT AUTHORITY\SYSTEM" sysadmin rights. This must be done via sp_grantlogin, it can not be done via Enterprise Manager.
4. If the SQL Agent runs under a different account than the SQL Server make sure that account has the rights that it needs.
Once you've done these things you should be able to safely remove the BUILTIN\Administrators.
Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)
--Anything is possible. All it takes is a little research. (Me)
- Thread starter
- #4
mrdenny
Programmer
- May 27, 2002
- 11,595
Yes it can be added back.
If you deny the builtin\Administators the right to log in that should totaly block there ability to log into the SQL Server at all. Even if they have been granted rights through some other group. This would lock the DBAs out if they have admin access to the server.
Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)
--Anything is possible. All it takes is a little research. (Me)
Code:
exec sp_grantlogin [BUILTIN\Administrators]
go
exec sp_addsrvrolemember @loginame='BUILTIN\Administrators', @rolename='sysadmin'
goIf you deny the builtin\Administators the right to log in that should totaly block there ability to log into the SQL Server at all. Even if they have been granted rights through some other group. This would lock the DBAs out if they have admin access to the server.
Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)
--Anything is possible. All it takes is a little research. (Me)
Stop, before you do anything, read this!
- Status
Similar threads
- Locked
- Question
- Locked
- Question