Question about removing Builtin administrator account

  • We use SQL server 2000 MSDE on XP embed.  The SQL Server Service startup account is 'local sytem'.  From the reading I had, it seems like in order for SQL Server Service to start and function normally, the 'built-in/administrator' account in SQL server needs to be there.  I did some testing about it.  I removed the 'built-in/administrator' account, and I am able to start the SQL Server Service all right. 

    Also I tried to install SP4 (I logged on to the server as local administrator).  The install failed when the 'built-in/administrator' account is available.  It failed when the install attempted to exec a .sql file and the access was denied. After I put the builtin account back and tried the install again, it went all right.

    My questions are

    1. when SQL server service startup account is set to be 'local system', is 'builtin/administrator' login needed for the service to run?

    2. Why 'builtin/administrator' login is needed when applying service pack?

    Thanks.

  • Hi Crystal,

    The builtin/administrators windows group is not required when installing a service pack unless, of course, you are logging in as a local administrator 😉

    We routinely remove builtin/administrators from our SQL installations AFTER adding a different windows account that has administrative permissions that we can use for administering the server (service packs, user management, etc).

    Does your local system account have a login established to your SQL instance? That would explain why it will still start up even after removing the builtin\administrators group.

  • Ken,

    Thanks for the reply.  I did log in as a member of local administrator group - this server is isolated and not on any domains. But I install the SP from a command line passing sa as upgradeuser.  I assumed that sa and password would be used when connection is neede to SQL server.  This is why I am puzzled by the fact that the builtin/administrator account is required for a successful install.

    There was no logins created for local system account other than builtin administrator.  When I was doing the testing, I removed all other logins but sa.  My understanding on the process taken to remove a builtin/administrator account is the same as you described in your reply.  That is why I want to find out the reason that the service under local system account can still start after the builtin/adminstrator account is removed.

    Thanks.

  • as part of the security measures that a DBA needs to take is to remove the builtin/administrator account

    in installing the service pack, you need to provide the logon account with SA privilege on the server or if prompted supply the credentials

    verify if you removed the account or denied it, these are two different actions and result to different behaviors (denying it will deny the current account logged on)

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply