Denying Local Administrators accounts Sysadmin rights ?

  • How do I deny members (domain accounts) who are members of Local Administrators group Sysadmin privileges on my local instance of SQL Server 2005?

    I am using Windows Authentication rather than SQL Server authentication for access / connection to SQL Server.

    Thanks,

    Zee - Atlanta

  • First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).

  • Lynn Pettis (2/18/2010)


    First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).

    ..until they invoke the DAC.....

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

  • Matt Miller (#4) (2/18/2010)


    Lynn Pettis (2/18/2010)


    First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).

    ..until they invoke the DAC.....

    If you have that enabled. It is disabled by default. Which reminds me, I should check that on the new servers. So much going on in such a short time.

    Also, hopefully they don't know how to access SQL Server via the DAC. I've used it once, and that was more of a test to see how it worked and what I could do.

  • Lynn Pettis (2/18/2010)


    Matt Miller (#4) (2/18/2010)


    Lynn Pettis (2/18/2010)


    First, make sure you have at least two ways to login with sys admin rights. One way is to have a group created and have the DBA's assigned to that group and give that group sys admin rights. The second, have a privileged account for each of the DBA's created and add those to the database with sys admin rights. Once you have that done, you can delete the Builtin\administrator account (group) and this will take away the ability of local admins from getting into SQL Server (unless they add themselves to your DBA group).

    ..until they invoke the DAC.....

    If you have that enabled. It is disabled by default. Which reminds me, I should check that on the new servers. So much going on in such a short time.

    Also, hopefully they don't know how to access SQL Server via the DAC. I've used it once, and that was more of a test to see how it worked and what I could do.

    How do you disable the local DAC? As I recall - the ability to access DAC remotely is what's disabled.

    That said - it might be good to know how to disable it locally if you can.

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply