Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

builtin\administrators

Status
Not open for further replies.

Bell1991

Programmer
Aug 20, 2003
386
US
I would like to remove the builtin\administrators - but i am scared i will break something.

How can i verify i won't?

Thanks
 
What is the purpose of doing that? Certian services need users to be part of local admin group. Think twice before you proceed with it.

Dr.Sql
Good Luck.
 
It can be removed, I have removed it from all of our servers. There are some things you'll want to check before removing it.

1. Make sure that the account that runs the SQL Service has sysadmin rights.

2. Make sure that the DBAs (either by group or by name) are listed specifically and have sysadmin access.

3. If you are using the full text search you'll need to grant the "NT AUTHORITY\SYSTEM" sysadmin rights. This must be done via sp_grantlogin, it can not be done via Enterprise Manager.

4. If the SQL Agent runs under a different account than the SQL Server make sure that account has the rights that it needs.

Once you've done these things you should be able to safely remove the BUILTIN\Administrators.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]
 
I have done the checklist above and i can't imagine anything going wrong, but if it does, can i add it back in?
 
Bell1991,

You could just deny the login rather than removing it:

Code:
EXEC sp_denylogin [BUILTIN\Administrators]

Andy
 
Yes it can be added back.
Code:
exec sp_grantlogin [BUILTIN\Administrators]
go
exec sp_addsrvrolemember @loginame='BUILTIN\Administrators', @rolename='sysadmin'
go

If you deny the builtin\Administators the right to log in that should totaly block there ability to log into the SQL Server at all. Even if they have been granted rights through some other group. This would lock the DBAs out if they have admin access to the server.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top