How to Connect to a SQL 2005 Server When You Are Completely Locked Out

  • Comments posted to this topic are about the item How to Connect to a SQL 2005 Server When You Are Completely Locked Out

    Rudy

  • You can gain access to SQL Server 2005 by adding your Windows login to one of the following local groups on the server , depending on if it is default or named instance (replace ComputerName and InstanceName with the actual names)

    Default instance: SQLServerMSSQLUser$ComputerName$MSSQLSERVER

    Named instance: SQLServerMSSQLUser$ComputerName$InstanceName

    You should not have to restart SQL Server to gain access this way.

  • this way is not good, because yoiu dont have the permission to connect just with sqlcmd -E, this way is not excat.

    You must add your login to local group created by installation sql

  • harriga.rabie-1008938 (11/3/2009)


    this way is not good, because yoiu dont have the permission to connect just with sqlcmd -E, this way is not excat.

    You must add your login to local group created by installation sql

    That is correct.

    Also, using sqlcmd -E uses the trusted account you are logged into as your sql login. Well, if you are completely locked out, how would this work? If you could get in this way and had permissions to create logins, why couldn't you just login to sql management studio and just change the sa password?

  • Hello everyone and thank you for reading my article.

    I would like to make two points on the comments I have seen here.

    There are some questions about the "sqlcmd -E" command. Once you place the SQL server into single user mode (sqlservr.exe -m), this is the best and recommended way to connect to the SQL server in this mode. You could use an id/account to connect but if you have an id/account already then you would not be locked out.

    Yes, by adding your own id/account to the SQL server, you should not get locked out. But this is not always the case. Here are some scenarios that could happen where you can not add your id/account and thus be locked out.

    1) The application is very sensitive and you are not allowed by the business owner, auditors and/or government agencies to just add your id/account and are forced to use a supplied account for access.

    2) The SQL server is inherited. When a company is bought out by another and people are let go, not everyone is nice enough to leave all the information.

    3) Someone has deliberately deleted id/account from the SQL server. Possibly an unhappy employee/staff member or worse.

    As you can see there are many reasons why you many not be able to connect to SQL server and if you ever run into this problem, I hope you will find this article helpful.

    Thanks,

    Rudy

    Rudy

  • The real way is to use the Dedicated Administrator Connection. You need to be on the physical box and member of sysadmin, and you can use either sqlcmd or Management Studio. This way you will not remove any information as to why you could not get in in the first place.

    See this very short and precise way to do this:

    http://msdn.microsoft.com/en-us/library/ms178068.aspx

    Christian Mark Jensen

    DBA

  • I still do not understand how you can use integrated security to connect to an instance that the user your logged into the machine with does not have permission to? I am confused here. does -e in single user mode bypass all security and let anyone log in? I would be very shocked at that.

  • Per MSDN:

    Under certain circumstances, you may have to start an instance of SQL Server in single-user mode by using the startup option -m. For example, you may want to change server configuration options or recover a damaged master database or other system database. Both actions require starting an instance of SQL Server in single-user mode.

    Starting SQL Server in single-user mode enables any member of the computer's local Administrators group to connect to the instance of SQL Server as a member of the sysadmin fixed server role.

    Thank you for the article OP. Very useful

  • chrismj (11/3/2009)


    The real way is to use the Dedicated Administrator Connection. You need to be on the physical box and member of sysadmin, and you can use either sqlcmd or Management Studio. This way you will not remove any information as to why you could not get in in the first place.

    See this very short and precise way to do this:

    http://msdn.microsoft.com/en-us/library/ms178068.aspx

    Christian Mark Jensen

    DBA

    The DAC, which has to be enabled as it is off by default, still requires sql server credentials. Starting the sql server service in single-user-mode only requires that you're an admin on the server, not the sql server. The article is about how to get yourself access when all other methods are lost.

  • From the article:

    The builtin\administrators account has been removed for security reasons

    ??

  • Thank you John.

    I wrote this article in case you have "no other way" to connect to the SQL server.

    Rudy

    Rudy

  • einman33 (11/3/2009)


    From the article:

    The builtin\administrators account has been removed for security reasons

    ??

    This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.

  • einman33 (11/3/2009)


    From the article:

    The builtin\administrators account has been removed for security reasons

    ??

    What is your question?

  • This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.

    I know, right. Very uncomfortable feeling knowing that the network team could still get in if they really wanted to.

  • john.vanda (11/3/2009)


    This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.

    I know, right. Very uncomfortable feeling knowing that the network team could still get in if they really wanted to.

    Well, at least I learned something today that I never knew.

Viewing 15 posts - 1 through 15 (of 97 total)

You must be logged in to reply to this topic. Login to reply