September 25, 2008 at 2:42 am
Following an issue I had last night not being able to log into SQL 2000, I'm wondering if anyone can clarify.
I disabled the BUILTIN\Administrators account and set Authentication to Windows only. I have a dedicated AD Group that is a SysAdmin in SQL Server itself of which I am a member. When I tried to connect I couldn't. When I re-enabled the BUILTIN\Administrators account I could then get in?
September 25, 2008 at 4:36 am
Hello,
By "disable" do you mean you denied access for the BUILTIN\Administrators login?
If you are also a member of BUILTIN\Administrators then the deny would override the grant associated with your AD Group membership - hence no access.
To quote BOL: "Users cannot connect to an instance of SQL Server if their user account, or any group in which they are a member, has been denied login access"
Regards,
John Marsh
www.sql.lu
SQL Server Luxembourg User Group
September 25, 2008 at 4:54 am
That's a good point. How can I see if i am a member of BUILTIN\Administrators?
September 25, 2008 at 4:59 am
Hello Steve,
If you are a member of the local Administrators group on the Windows Server, then you are in it.
Regards,
John Marsh
www.sql.lu
SQL Server Luxembourg User Group
September 25, 2008 at 6:26 am
Thanks John. Problem sorted and understood.
September 25, 2008 at 6:32 am
Just a thought - has this changed in SQL 2005 - I'm sure I've done the same thing there without adverse effects?
September 25, 2008 at 6:42 am
Hello Steve,
In SQL 2005, as well as the Grant/Deny option you also have the Enable/Disable option, which is probably what you did?
Having the BUILTIN\Administrators Login set as disabled won’t override a Grant on another "Group" Login of which you are a member.
Regards,
John
www.sql.lu
SQL Server Luxembourg User Group
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply