removing local admin group

Question

removing local admin group

scorpvo

SSCommitted

Points: 1769
More actions
April 28, 2003 at 10:15 am

#59221

I read somewhere but can any verify and show me links with issues with removing the 'local\admin' group from SQL Server security? thanks..

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply

Allen Cui-55137 SSC Guru Points: 51650 More actions · Answer 1

Be aware removing 'BUILTIN\Administrators' login from SQL Server might cause problems such as cluster SQL Server and full text service. See KBs below for issues and solutions.

http://support.microsoft.com/default.aspx?scid=kb;en-us;263712

http://support.microsoft.com/default.aspx?scid=kb;en-us;295034

http://support.microsoft.com/default.aspx?scid=kb;en-us;317746

K. Brian Kelley SSC Guru Points: 114642 More actions · Answer 2

Also make sure you have the appropriate accounts specified as sysadmin fixed server role members before dropping BUILTIN\Administrators. Last thing you want to do is drop that group and then realize you don't have access back into SQL Server.

K. Brian Kelley

http://www.truthsolutions.com/

Author: Start to Finish Guide to SQL Server Performance Monitoring

http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley
@kbriankelley

scorpvo SSCommitted Points: 1769 More actions · Answer 3

scorpvo

SSCommitted

Points: 1769

April 29, 2003 at 9:19 am

#455701

thanks for the input and links..

scorpvo SSCommitted Points: 1769 More actions · Answer 4

scorpvo

SSCommitted

Points: 1769

April 29, 2003 at 9:25 am

#455702

thanks for the input and links..

Clive Strong SSChampion Points: 11222 More actions · Answer 5

If you want to stop people logging in and gaining admin rights through the BUILTIN\Administrators, you can remove the login from the Sysadmin server role.

Clive Strong

sqlsrvr_dba@hotmail.com

Steve Jones - SSC Editor SSC Guru Points: 736255 More actions · Answer 6

I hate this. IMHO, it's more of a pain, especially when you are on vacation or need some remote hands. Just my experience, but I tend to allow local admins the access right, but track changes pretty tightly. If someone makes a change without asking permission or being aware of their actions, we handle it face to face, in an administrative fashion, i.e. I scream at them.

Steve Jones

sjones@sqlservercentral.com

http://www.sqlservercentral.com/columnists/sjones

http://www.dkranch.net

scorpvo SSCommitted Points: 1769 More actions · Answer 7

I tend not to remove the group neither, just that these servers are shipped to South America countries and I really don't want those network guys down there having authentication into SQL. I created a domain account that has 'local admin' rite and sys admin to start the services and use that account to maintain the servers. I read and had some knowledge with issues of removing this group but I just some more insights from all the experts.. 🙂