disabling windows account login.
-
Hi,
I understand that there are two types of Authentication Modes. Windows Authentication and Mixed Mode. But, in both types Windows account is enabled. Is there any method to disable windows account?
Regards
Unnic
-
No, as the account which runs the sql server service needs access to the sql server.
Steven
-
There is no way to use only SQL Server authentication mode. However, you can remove the BUILTIN\Administrators group from the logins if you want to stop system admins from gaining access.
-
BuiltInAdministrators can be removed but it is not recommended (esp. on the cluster) - it can cause SQL Server or Agent Not to Start.
-
I reciently when through the process of removing the BUILTIN\Administrators account, here are my notes:
-- KB 317746
exec sp_grantlogin 'NT Authority\System'
exec sp_addsrvrolemember @loginame = 'NT Authority\System', @rolename = 'sysadmin'
exec sp_droplogin 'BUILTIN\Administrators'
I found a strange one during this process that was not covered by the KB article, it seems that the Task Scheduler will login to SQL Server using the SYSTEM account, exactly why I could not find out. This was determined by the Lumigent Entegra audit software reporting the login failure a the time sheduled tasks were performed, after adding the SYSTEM account login in SQL Server this audit notification stopped.
Andy
-
During the installation of our software we use InstallShield to revoke the Administrator logins, and apply a password to the sa account. This is because (with our wonderful setup on Windows XP) the user could access SQL Server via the 'OSQL -E' command and we needed to stop that.
The commands within the InstallShield script are as follows:
exec sp_password NULL, new password, 'sa'
exec sp_revokelogin N'BUILTIN\ADMINISTRATORS
exec sp_revokelogin N'ServerName\ADMINISTRATOR
Regards,
Steve
-
I know for sure that if BUILTIN\Administrators is removed Full Text Search breaks - becuase it always uses Local System Account. It cannot query remote servers. If SQL Server and Agent are also using the same account - they will not start.
-
Both SQL Server and SQL Server Agent can be started up with a specific account instead of the system account. Right click the Server in Enterprise Manager, chose Properties, Security tab to change the SQL Server startup account. Right click SQL Server Agent (under Management), chose Properties, General tab will allow you to change the SQL Server Agent startup account. These must be changed to a specific account to be able to get rid of the BUILTIN\Administrators account.
Steve
-
KBLink:237604.KB.[LN]: PRB: SQL Server Agent does not start and
displays error 18456
KBLink:291255.KB.[LN]: BUG: IsAlive check does not run under the
context of the BUILTIN\Administrators account
KBLink:295034.KB.[LN]: FIX: Microsoft Search Service may cause 100% CPU
usage if BUILTIN\Administrators login is removed
KBLink:274446.KB.[LN]: INF: Upgrade to SQL Server 2000 failover
solution recommended for all non-SQL Server 2000 virtual servers
317746.KB.EN-US : SQL Server Full-Text Search Does Not Populate Catalogs
BUG: Sp_addarticle Stored Procedure Failures Occur After You Apply SQL WGID:230
ID: 815122.KB.EN-US
All the above say - DON'T DO IT
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply