October 9, 2003 at 2:32 pm
The local Windows group Builtin\Administrators has rights to my SQL Server. The group is not a member of any fixed server role, but it is mapped to the user dbo and is a member of the db_owner role in each database. I have tried to remove the BuiltIn\Administrators group from the db_owner role and keep getting the error: "Error 15405: Cannot use the reserved user or role name dbo." I cannot change the user that the login is mapped to from dbo to something else. Can someone tell me what the deal is with this windows group?
October 9, 2003 at 6:55 pm
You should remove the login entirely. Seldom should all network admins also be SQL admins. Even if you're not clustered, the instructions here are relevant:
http://support.microsoft.com/?id=263712
--Jonathan
--Jonathan
October 10, 2003 at 7:20 am
Before remove it, make sure you have another NT login with 'sa' privilege and do try to remember 'sa' password. Someone is in trouble after removing it.
October 10, 2003 at 7:26 am
Also keep in mind this stops the "only curious." Granted that's probably 98% of the looks. However, if a sysadmin wanted to get at the data, he or she would stop the SQL Server service and copy off the data files. Be sure to have auditing turned on (and reviewed) at the OS level as well.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
October 10, 2003 at 7:34 am
By default, 'BUILTIN\Administrators' is automatically mapped to 'dbo'. Try to remove it from access all your databases and remove it.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply