SQL server, SMS, and BUILTIN\Administrator
-
Hi,
We have installed SMS on SQL server2000.
After the install, as usual, I removed BUILTIN\Administrators from the SQL server and ... SMS failed to connect to SQL Server.
I found Microsoft TechNet article( http://www.microsoft.com/technet/prodtechnol/sms/sms2003/security/spsecsms03/spsec_10.mspx 
that describes how to remove BUILTIN\Administrators with SMS:
exec sp_grantlogin '<computer account>'
exec sp_changedbowner '<computer account>'
exec sp_grantlogin 'NT AUTHORITY\SYSTEM'
exec sp_addrolemember 'db_owner', 'NT AUTHORITY\SYSTEM'
exec sp_droplogin 'BUILTIN\Administrators'
SMS still could not connect to the DB .
It start working only after 'NT AUTHORITY\SYSTEM' was granted SQL server role to be a "Server Administrator" .
QUESTIONS:
1) What is the '<computer account>' ?
2) Is it be a same security risk if granting sys admin rights to 'NT_ AUTHORITY\SYSTEM' , as it was with 'BUILTIN\Administrators'?
TIA kindly for your help,
Leo
-
It is the account SMS is running with - usually a domain account added to the local admins. This would be the account that SMS was installed with and is using as login to run
-
Be sure this SMS account has rights to connect to SqL Server. It logs in like any other user of SQL Server.
-
Hi,
I've contacted Microsoft and they comfirm that NT_Authority\System as well as DOMAIN\COMPUTERACCOUNT must be the sys admins on SQL box and :
" ...Microsoft has assured that the use of computer accounts specifically the “NT AUTHORITY\SYSTEM” account is the most secure means of locking down access to your SQL database. There is no loss of functionality when using computer accounts to access your SQL database... "
The DOMAIN\COMPUTERACCOUNT is DomainName\ComputerName$
Thank you everybody for help.
Leo
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply