Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
domain
- Thread starter GrimR
- Start date
Have alook at the logins and groups yu already have set up on yur SQL server.
If you have domain admins set up then yes they will
If you have local admisn set up then they may do if they make themselves admin on your servers.
I suppose the real question is do you want them to or are you trying to make sure they don't get access?
I love deadlines. I like the whooshing sound they make as they fly by
Douglas Adams
(1952-2001)
- Thread starter
- #3
The data on the SQL, File and exchange servers must for now stay confidential to ourselves until the nationalization of the company is final. Is there a way to prevent them making themselves admins on the servers?
As far as I know is that we will just be a OU in AD with our branch (Currently our AD Domain 120 users) that I will then manage.
MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP
As far as I know is that we will just be a OU in AD with our branch (Currently our AD Domain 120 users) that I will then manage.
MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP
You could look at disabling all of the group accounts other then your specific id's or groups.
Don't disable the NT Authority or NT Service accounts.
Ensure that at least 1 account (Yours) has full sysadmin and adminstrator access and try it on your test box if you have 1 in case it screws up anything else accessing the server.
I love deadlines. I like the whooshing sound they make as they fly by
Douglas Adams
(1952-2001)
SQLScholar
Programmer
On your local windows accounts you should have a group called administrators. A member of this group should be something like
DOMAIN\administrators
Well i would say it would be safe if you made sure that NEWDOMAIN\administrators wasnt in this group.
Then on the current domain server make sure that NEWDOMAIN\administrators are not in the administrators group for your domain.
OR..... the safest approach - keep your domains separate (using vlan`ing - so on same network but one cant see the other) until your ready to allow them to talk.
Dan
----------------------------------------
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind - Bernard Baruch
Computer Science is no more about computers than astronomy is about telescopes - EW Dijkstra
----------------------------------------
DOMAIN\administrators
Well i would say it would be safe if you made sure that NEWDOMAIN\administrators wasnt in this group.
Then on the current domain server make sure that NEWDOMAIN\administrators are not in the administrators group for your domain.
OR..... the safest approach - keep your domains separate (using vlan`ing - so on same network but one cant see the other) until your ready to allow them to talk.
Dan
----------------------------------------
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind - Bernard Baruch
Computer Science is no more about computers than astronomy is about telescopes - EW Dijkstra
----------------------------------------
- Thread starter
- #6
Dan, that's not possible we are becoming one domain, we already have a trust in place and have had it for several years, but the firms are growing and are about to be nationalized and have already started to conform to international standards and policies. The partners in both companies/branches do not want us the IT managers from either domain[currently] having access to each others data [yet].
MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP
MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP
- Thread starter
- #8
SQLBill - Remove it or just set Deny permissions on the account to the database or change server roles? But I take it that it's going to be possible to give myself and our staff access while denying there staff and admins access.
MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP
MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP
Create logins for those people who need to have access and grant them the appropriate access needed (sysadmin if needed). Then remove Builtin\Administrators. If someone is an administrator on the server, they automatically have SA privilges via Builtin\Administrators. We remove that permission immediately upon building a SQL Server server.
One thing you can do to make security easier to manage is create an Active Directory group that will be used for those who are approved to have sysadmin access. Something like [Domain]\DBAGroup. Grant that Windows group sysadmin priviliges in SQL Server and just assign users to the group as necessary.
Before you remove Builtin\Adminstrators, make sure someone has SA access. Either the SA login/password is stored somewhere, or someone's login has the sysadmin privilege.
-SQLBill
The following is part of my signature block and is only intended to be informational.
Posting advice: FAQ481-4875
One thing you can do to make security easier to manage is create an Active Directory group that will be used for those who are approved to have sysadmin access. Something like [Domain]\DBAGroup. Grant that Windows group sysadmin priviliges in SQL Server and just assign users to the group as necessary.
Before you remove Builtin\Adminstrators, make sure someone has SA access. Either the SA login/password is stored somewhere, or someone's login has the sysadmin privilege.
-SQLBill
The following is part of my signature block and is only intended to be informational.
Posting advice: FAQ481-4875
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
- Locked
- Question