January 9, 2012 at 9:55 am
Hello,
My team supports a large group of servers, and unfortunately, sometimes the customer has SYSADMIN access to the server.
We just found a server that "someone" changed the Authentication mode from SQL Auth. to Windows Auth. So the next time the server restarted, a bunch of people weren't too happy.
My question is...
From the default trace, or ErrorLog, or Event Viewer... how can I tell who did that monstrosity?
We don't have custom audit in place, and I guess I can set up something on MS SQL 2008 Policies... but right now I would like to find out who did it.
I try testing it on my test env. but I can figure out where it might be logged.
Thank you
MS SQL 2008 SP1 Enterprise Edition
Thank you
Miguel
January 9, 2012 at 10:04 am
If you don’t have audits / policies / alerts in place it’s hard to figure out. I would suggest you to take actions on it ASAP before *someone* just drops a database (or something similar) by mistake.
Also, it’s good idea to put this as a business case in front of Management & convince them on revoking sysadmin privileges from customer.
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply