May 24, 2008 at 3:24 pm
hi all.
am on a production server and i want ton role. know what i can do in order to make the sa login without any power.
i know that i can disable the account, but it must by some thing more i can do, like remove it from the sysadmin role using some work around but i cant find out how.
any one have any good ideas.??
..>>..
MobashA
May 24, 2008 at 4:23 pm
It's easy... don't try to remove the SA login... just change the password and don't give it out to anyone, ever...
--Jeff Moden
Change is inevitable... Change for the better is not.
May 25, 2008 at 12:37 am
yes i can do so, the case is am new in the company and every one used to use the sa for any thing even select statements, when i ask some one what he want to do in order to give him the needed priv he said he want the sa (the general manager), but if i get rid of the sa so no one will ask for it..
..>>..
MobashA
May 25, 2008 at 8:55 am
If you simply rip the SA rug out from under them, you'll make a lot of enemies... you need to get management to buy into a good security plan where folks have read access and they have a "reporting" database (sandbox, really), where they can play to their little hearts content. We have one that is "restored" every four hours from the production box. There's a separate "work" database where folks can store their favorite queries without them being overwritten every four hours. That way, they can have a login with "SA" privs without taking the chance on blowing production out of the water.
It'll take you 3 or 4 months to convince management of such a thing, but it's well worth it... makes everyone happy.
--Jeff Moden
Change is inevitable... Change for the better is not.
May 25, 2008 at 11:47 pm
i have already convienced them to remove the sa, but still may some one ask for it as he knows that sa is the most powerfull user, so i dont want top give him a chance.
..>>..
MobashA
May 26, 2008 at 7:17 am
I can't get over the gut feeling that it's a bad idea, but here goes...
First, make sure that some other user, preferably some DBA (yourself?) has SA privs.
Second, open SSMS and click on {View}{Object Explorer}. Expand {security} and then {logins}. Double click on SA and a new window will open. Click on {server roles}. Find the {sysadmin} role and deselect it. Click {OK}.
--Jeff Moden
Change is inevitable... Change for the better is not.
May 26, 2008 at 7:41 am
You can disable the sa account. On SQL 2005, you can also rename it if you like (and create a new login named sa with any permissions you like), however you cannot modify the original sa login.
If you try to remove it from the sysadmin group, you get an error:
Error 15405
Drop member failed for ServerRole 'sysadmin'
Cannot use the special principal 'sa'
You can rename from object explorer in management studio. Right click the login and choose 'rename'
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
May 26, 2008 at 7:43 am
mobasha (5/25/2008)
i have already convienced them to remove the sa, but still may some one ask for it as he knows that sa is the most powerfull user, so i dont want top give him a chance.
Tell him 'No'. Tell him that handing out the sa password is against your security policies (if it's not, it should be)
You're looking for a technological solution to a non-technological problem
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
May 26, 2008 at 8:00 am
it would be like this:
he ask for sa i say i have no such login, tell me what u want and i will provide u with a user to do what u need.
end of sotry.
u know am not the only DBA, but soon i will, so i cant disable the sa out of blow or keep the password just for my self, i need time before say no.
..>>..
MobashA
May 26, 2008 at 9:37 am
mobasha (5/26/2008)
it would be like this:he ask for sa i say i have no such login, tell me what u want and i will provide u with a user to do what u need.
end of sotry.
u know am not the only DBA, but soon i will, so i cant disable the sa out of blow or keep the password just for my self, i need time before say no.
That's what you get for "lying"... the real fact is the SA login exists... muster up your courage, get full management support, and start telling people "NO", they can't have the SA password. Doing what you said...
"tell me what u want and i will provide u with a user to do what u need."
... should be prefaced with "Management says no one but DBA's get's the SA password, however, tell me what u want and i will provide u with a user to do what u need." is the best way to go.
--Jeff Moden
Change is inevitable... Change for the better is not.
May 26, 2008 at 10:07 am
for the time being we r in a transetion period and things needs some time to be done.
any way, if i disable the sa account i still can enable it again, i need some way to make the sa account disapper, vanech or some thing like this..
..>>..
MobashA
May 26, 2008 at 4:40 pm
So, delete the SA account just like any other account... just make sure that SOME account has SA privs.
Still, I'd rather get the users used to the idea of the word "NO"... transitive period or not. 😉 What are you going to do when they start asking for the sysadmin role instead of just "SA"? Answer will need to be "NO".
--Jeff Moden
Change is inevitable... Change for the better is not.
May 26, 2008 at 11:39 pm
can i just delete it i dont think i could!
..>>..
MobashA
May 26, 2008 at 11:58 pm
Don't think so, but you can rename it. Not as good, but it does make it less obvious. Call it something like guest_user_testing or something like that and give it a rediculous password that even you don't know (3 guids cast to varchar and put together work well)
As I said before, no amount of tweaking sa's properties will help you here. You need to tell the user that the cannot have the sa password of sysadmin privilidges. End of Story.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
May 27, 2008 at 11:57 am
The better approach would be to disable SQL Server accounts and just use windows authentication.
I agree with Jeff here, this is a bad idea. Your asking to do something that the product I am sure never expected anyone to do. Don't expect to successfully apply a patch in the future (without some serious help for support $$)
Go see the Wizard and get some courage.
Viewing 15 posts - 1 through 15 (of 29 total)
You must be logged in to reply to this topic. Login to reply