February 28, 2006 at 4:21 am
Hello.
I am new to the site as I am new to DBA role so please bear with questions that might be simple for you.
I know that I can change the sa password from Logins menu. However, if I use sp_password null, 'ok', 'sa', it works; does that mean if you have system admin rights you can change the password without needing the former one.
Another question. If I want to change the sa password, why doesn't it work if I edit the sa password from Edit SQL Server registration properties. This approach gives an error, why?
Also, I have gathered this much that if I want to create groups, I need Active directory. Can any one please elaborate on this. I am looking to create groups and add windows NT accounts to them.
Lastly, what is the Built-In\Adminsitrators (Windows Group) there for?
Sorry for too many questions. Please bear with me.
Thanks,
Madiha!
February 28, 2006 at 7:29 am
1) Yes. if you have system admin rights you can change the password without needing the former one.
2) The sql registeration window is to define the credential SSMS used to connect to sql server. The window does not generate the code to change the password.
3) not sure.
4) It's a predefined account in sql server. The administrator group in your local computer will map to this account. You can change the server roles for the account, or remove it if you do not have sql server clusters.
February 28, 2006 at 8:13 am
Thanks. That was really helpful.
I just remember vaguely it being mentioned in one of the posts that the built-in built-in administrator account should not be deleted.
Madiha!
March 1, 2006 at 9:46 am
I disagreee. It can and should be in order to tighten security. However never do this without researching and testing. As far as I know the only reason that you should not is if you use Full Text Search.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
March 1, 2006 at 11:00 am
" .. Also, I have gathered this much that if I want to create groups, I need Active directory. Can any one please elaborate on this. I am looking to create groups and add windows NT accounts to them. "
We do it this way: Create a Global group for each Database and permission level. For instance you might have Global groups for your "Test" database like: SQL_Test_R (read only), SQL_Test_RW (read,write), SQL_Test_DBO. Then add your Windows accounts to the appropriate groups. Then create similarly named Local Groups on the SQL server. On the server, add the Global Groups to the Local Groups. Then give the Local Group the various permissions.
Summary: "AGLP"
"A" Accounts --> into "G" Global groups --> into "L" Local groups --> get "P" permissions.
It's a bit of work to set up, but when you're done, it's very simple to manage. Just use Active Directory to put Windows users into the appropriate groups. You can also use AD to view all the groups that a particular user is in.
March 2, 2006 at 2:38 am
From what I understand is that Global groups are at database level while local groups are at server level. What do we need local groups for; plus when we have given permission at global group level then why do we need to re-assign at local group level?
Anyway, thanks for clearing out much of confusion. I thought I would have System Adminstrator create groups and add users to them (just as we have mailing groups in mailing or office address book as it I tried it once) and I will simply add those groups to SQL Server.
Regards,
Madiha.
March 2, 2006 at 2:41 am
What do you disagree with? I don't get it. Could you please add as I am not able to follow the chain.
Thanks,
Madiha.
March 6, 2006 at 9:34 am
I disagree your statement about not/never deleting the Builtin\Administrators. You can do it without ill affects if youy do your homework. Deleteing Builtin\Administrators (or at a minimum revoke login) does close a security hole.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply