November 2, 2009 at 8:29 pm
Comments posted to this topic are about the item How to Connect to a SQL 2005 Server When You Are Completely Locked Out
Rudy
November 2, 2009 at 9:22 pm
You can gain access to SQL Server 2005 by adding your Windows login to one of the following local groups on the server , depending on if it is default or named instance (replace ComputerName and InstanceName with the actual names)
Default instance: SQLServerMSSQLUser$ComputerName$MSSQLSERVER
Named instance: SQLServerMSSQLUser$ComputerName$InstanceName
You should not have to restart SQL Server to gain access this way.
November 3, 2009 at 4:31 am
this way is not good, because yoiu dont have the permission to connect just with sqlcmd -E, this way is not excat.
You must add your login to local group created by installation sql
November 3, 2009 at 6:47 am
harriga.rabie-1008938 (11/3/2009)
this way is not good, because yoiu dont have the permission to connect just with sqlcmd -E, this way is not excat.You must add your login to local group created by installation sql
That is correct.
Also, using sqlcmd -E uses the trusted account you are logged into as your sql login. Well, if you are completely locked out, how would this work? If you could get in this way and had permissions to create logins, why couldn't you just login to sql management studio and just change the sa password?
November 3, 2009 at 7:50 am
Hello everyone and thank you for reading my article.
I would like to make two points on the comments I have seen here.
There are some questions about the "sqlcmd -E" command. Once you place the SQL server into single user mode (sqlservr.exe -m), this is the best and recommended way to connect to the SQL server in this mode. You could use an id/account to connect but if you have an id/account already then you would not be locked out.
Yes, by adding your own id/account to the SQL server, you should not get locked out. But this is not always the case. Here are some scenarios that could happen where you can not add your id/account and thus be locked out.
1) The application is very sensitive and you are not allowed by the business owner, auditors and/or government agencies to just add your id/account and are forced to use a supplied account for access.
2) The SQL server is inherited. When a company is bought out by another and people are let go, not everyone is nice enough to leave all the information.
3) Someone has deliberately deleted id/account from the SQL server. Possibly an unhappy employee/staff member or worse.
As you can see there are many reasons why you many not be able to connect to SQL server and if you ever run into this problem, I hope you will find this article helpful.
Thanks,
Rudy
Rudy
November 3, 2009 at 7:54 am
The real way is to use the Dedicated Administrator Connection. You need to be on the physical box and member of sysadmin, and you can use either sqlcmd or Management Studio. This way you will not remove any information as to why you could not get in in the first place.
See this very short and precise way to do this:
http://msdn.microsoft.com/en-us/library/ms178068.aspx
Christian Mark Jensen
DBA
November 3, 2009 at 7:55 am
I still do not understand how you can use integrated security to connect to an instance that the user your logged into the machine with does not have permission to? I am confused here. does -e in single user mode bypass all security and let anyone log in? I would be very shocked at that.
November 3, 2009 at 8:21 am
Per MSDN:
Under certain circumstances, you may have to start an instance of SQL Server in single-user mode by using the startup option -m. For example, you may want to change server configuration options or recover a damaged master database or other system database. Both actions require starting an instance of SQL Server in single-user mode.
Starting SQL Server in single-user mode enables any member of the computer's local Administrators group to connect to the instance of SQL Server as a member of the sysadmin fixed server role.
Thank you for the article OP. Very useful
November 3, 2009 at 8:24 am
chrismj (11/3/2009)
The real way is to use the Dedicated Administrator Connection. You need to be on the physical box and member of sysadmin, and you can use either sqlcmd or Management Studio. This way you will not remove any information as to why you could not get in in the first place.See this very short and precise way to do this:
http://msdn.microsoft.com/en-us/library/ms178068.aspx
Christian Mark Jensen
DBA
The DAC, which has to be enabled as it is off by default, still requires sql server credentials. Starting the sql server service in single-user-mode only requires that you're an admin on the server, not the sql server. The article is about how to get yourself access when all other methods are lost.
November 3, 2009 at 8:26 am
From the article:
The builtin\administrators account has been removed for security reasons
??
November 3, 2009 at 8:27 am
Thank you John.
I wrote this article in case you have "no other way" to connect to the SQL server.
Rudy
Rudy
November 3, 2009 at 8:30 am
einman33 (11/3/2009)
From the article:The builtin\administrators account has been removed for security reasons
??
This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.
November 3, 2009 at 8:31 am
einman33 (11/3/2009)
From the article:The builtin\administrators account has been removed for security reasons
??
What is your question?
November 3, 2009 at 8:32 am
This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.
I know, right. Very uncomfortable feeling knowing that the network team could still get in if they really wanted to.
November 3, 2009 at 8:35 am
john.vanda (11/3/2009)
This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.
I know, right. Very uncomfortable feeling knowing that the network team could still get in if they really wanted to.
Well, at least I learned something today that I never knew.
Viewing 15 posts - 1 through 15 (of 97 total)
You must be logged in to reply to this topic. Login to reply