September 2, 2010 at 7:29 am
Hi,
We had setup a SQL 2005 cluster active/passive server. We are going to use this one for production.
Now we want to remove the BUILTIN/Administrators from SQL Logins.
As far I know we need to add the Cluster service account to SQL LOGINS then we are good to remove the builtin/admin.
Is there any other things need to be taken care?
Is it possible to add BUILTIN/Administrators again to SQL login?
Please advice
September 2, 2010 at 11:55 am
Instead of removing the Group, you can remove the sysadmin privilege from the BUILTIN\Administrators group.
But before doing so make sure that you know the sa password or you have atleast one sysadmin user who is not part of the BUILTIN\Administrators.
But It's always a best practice to remove BUILTIN\Administrators group from the SQL server.
Thank You,
Best Regards,
SQLBuddy
September 3, 2010 at 5:28 pm
we want to remove the BUILTIN/Administrator after adding the Window group to SQL Logins to administer the SQL Server
D0 We need server failover/failback the cluster to ensure everything is working fine.
September 4, 2010 at 6:32 pm
Failing over the resources would confirm if the change has gone well with SQL Server or not
Pradeep Adiga
Blog: sqldbadiaries.com
Twitter: @pradeepadiga
September 7, 2010 at 1:47 pm
Thanks for your replies.
I have successfully removed BUILTIN/Administrator after adding the group to SQL Login that used to administer the SQL Server.
Our server is SQL Server 2005 cluster server active/passive
What authentication is required in this scenario.
Presently in mixed mode, can I change it to windows authentication ?
September 7, 2010 at 2:32 pm
laddu4700 (9/7/2010)
Thanks for your replies.I have successfully removed BUILTIN/Administrator after adding the group to SQL Login that used to administer the SQL Server.
Our server is SQL Server 2005 cluster server active/passive
What authentication is required in this scenario.
Presently in mixed mode, can I change it to windows authentication ?
There are very very few situations where you can move from mixed to pure windows authentication. I wouldn't recommend it. For one, most applications and ODBC sources connect via username/password, not kerberos. Second, if your domain controller goes down, has an error, someone deletes/disables your one admin account, etc...well you're up the creek without a paddle.
September 7, 2010 at 3:55 pm
laddu4700 (9/7/2010)
Presently in mixed mode, can I change it to windows authentication ?
If you do see that all of your applications are using Windows Authentication and not SQL you can change it to Windows Authentication. The alternate that I do sometimes if I am Windows Auth only and utilize domain accounts, is to create a local account and add that account to SQL Server. That will then allow you to get into the instance when you cannot authenticate a Windows domain account. As well you can just disable the local Windows account when you don't need to use it.
Derrick Smith
Second, if your domain controller goes down, has an error, someone deletes/disables your one admin account, etc...well you're up the creek without a paddle.
On most occassions if my domain controllers go down, the SQL Server instances are the least of my problems at that moment. 😀
Shawn Melton
Twitter: @wsmelton
Blog: wsmelton.github.com
Github: wsmelton
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply