During SQL Server 2005 installation, several logins are added to the
sysadmin role including:
- local administrator group (BUILTIN\Administrators),
- Local System (NT AUTHORITY\SYSTEM), and
- sa.
A common hardening practice is to later remove the local administrator group
from the sysadmin role, thereby separating server administration from DBMS
administration. However, I don't recall ever seeing the recommendation to
also remove the LocalSystem account from the sysadmin role.
Has anyone seen recommendations to remove BOTH local administrators and
LocalSystem from the sysadmin role for hardening purposes, and - if this
were to be done - what are the consequences?
Thanks in advance (and apologies for re-posting in hopes of a response),
DrewHello Drew,
Yes, generally we remove local administrator group from sysadmin role which
actually prevent accessing sql server who is having system admini privilages
on the server.
Now personally I prefer not to remove Local System as I was facing problem
while using the full-text search. Please refer the following Microsoft
article.
http://support.microsoft.com/kb/317746
Hope this will help you.
Regards,
MB
"DHamre" <dhamre@.comcast.net> wrote in message
news:%23Au%23cyMMHHA.3424@.TK2MSFTNGP02.phx.gbl...
> During SQL Server 2005 installation, several logins are added to the
> sysadmin role including:
> - local administrator group (BUILTIN\Administrators),
> - Local System (NT AUTHORITY\SYSTEM), and
> - sa.
> A common hardening practice is to later remove the local administrator
> group from the sysadmin role, thereby separating server administration
> from DBMS administration. However, I don't recall ever seeing the
> recommendation to also remove the LocalSystem account from the sysadmin
> role.
> Has anyone seen recommendations to remove BOTH local administrators and
> LocalSystem from the sysadmin role for hardening purposes, and - if this
> were to be done - what are the consequences?
> Thanks in advance (and apologies for re-posting in hopes of a response),
> Drew
>
Showing posts with label role. Show all posts
Showing posts with label role. Show all posts
Friday, March 9, 2012
Friday, February 24, 2012
Local group permissions
Hi,
Is it possible to grant role assignment to report server local groups in
SSRS 2000? if so, how? I can't do it.
Thanks
AlexI managed to set local group policy only by adding the users to a
server-level group and then assign that group permissions. The same can be
done by adding individual accounts to the server itself, but I was unable to
create groups within RS itself.
Hope this assists,
"Alex" wrote:
> Hi,
> Is it possible to grant role assignment to report server local groups in
> SSRS 2000? if so, how? I can't do it.
> Thanks
> Alex
>
>|||Is is possible to restrict group rights per report using domain groups.
If I want a particular user to be able to view one or two reports and those
alone without viewing other reports, how would I attempt this. Say I want
only Sales see the sales reports, payroll to see only payroll, Tech Support
to see Tech Support and etc...
is this possible?
Regards,
Samson
"Logicalman" wrote:
> I managed to set local group policy only by adding the users to a
> server-level group and then assign that group permissions. The same can be
> done by adding individual accounts to the server itself, but I was unable to
> create groups within RS itself.
> Hope this assists,
> "Alex" wrote:
> > Hi,
> >
> > Is it possible to grant role assignment to report server local groups in
> > SSRS 2000? if so, how? I can't do it.
> >
> > Thanks
> > Alex
> >
> >
> >|||Samson,
Yes, you simply add the user to the group having permission on that report.
Be aware though, that by adding the user to that group he/she will then be
able to view ALL reports that particular group has permissions to.
example.
Report 1
Report 2
Report 3
Report 4
Group A
Group B
If Group A is given permission to browse Reports 1 and 2, and Group B is
given permission to view Reports 2,3 and 4.
By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
adding User z to Group B he/she will have access to Reports 2,3 and 4.
If you want User Y to view Report 2 only, and no other Reports, then you
will need to either add that user directly to Report 2, or create a new Group
C, and assign permissions to Group C to view Report 2.
Again, such Gropus may be part of the Active Directory or the Server.
I hope this clears up any ambiguity.
"Samson" wrote:
> Is is possible to restrict group rights per report using domain groups.
> If I want a particular user to be able to view one or two reports and those
> alone without viewing other reports, how would I attempt this. Say I want
> only Sales see the sales reports, payroll to see only payroll, Tech Support
> to see Tech Support and etc...
> is this possible?
>
> --
> Regards,
> Samson
>
> "Logicalman" wrote:
> > I managed to set local group policy only by adding the users to a
> > server-level group and then assign that group permissions. The same can be
> > done by adding individual accounts to the server itself, but I was unable to
> > create groups within RS itself.
> >
> > Hope this assists,
> >
> > "Alex" wrote:
> >
> > > Hi,
> > >
> > > Is it possible to grant role assignment to report server local groups in
> > > SSRS 2000? if so, how? I can't do it.
> > >
> > > Thanks
> > > Alex
> > >
> > >
> > >|||That is good news. I guess my question is how. I created 3 users groups,
sales, techs, payroll.
How do I set the permission on the particular folder that holds the reports?
Regards,
Samson
"Logicalman" wrote:
> Samson,
> Yes, you simply add the user to the group having permission on that report.
> Be aware though, that by adding the user to that group he/she will then be
> able to view ALL reports that particular group has permissions to.
> example.
> Report 1
> Report 2
> Report 3
> Report 4
> Group A
> Group B
> If Group A is given permission to browse Reports 1 and 2, and Group B is
> given permission to view Reports 2,3 and 4.
> By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
> adding User z to Group B he/she will have access to Reports 2,3 and 4.
> If you want User Y to view Report 2 only, and no other Reports, then you
> will need to either add that user directly to Report 2, or create a new Group
> C, and assign permissions to Group C to view Report 2.
> Again, such Gropus may be part of the Active Directory or the Server.
> I hope this clears up any ambiguity.
>
> "Samson" wrote:
> > Is is possible to restrict group rights per report using domain groups.
> >
> > If I want a particular user to be able to view one or two reports and those
> > alone without viewing other reports, how would I attempt this. Say I want
> > only Sales see the sales reports, payroll to see only payroll, Tech Support
> > to see Tech Support and etc...
> >
> > is this possible?
> >
> >
> > --
> > Regards,
> >
> > Samson
> >
> >
> > "Logicalman" wrote:
> >
> > > I managed to set local group policy only by adding the users to a
> > > server-level group and then assign that group permissions. The same can be
> > > done by adding individual accounts to the server itself, but I was unable to
> > > create groups within RS itself.
> > >
> > > Hope this assists,
> > >
> > > "Alex" wrote:
> > >
> > > > Hi,
> > > >
> > > > Is it possible to grant role assignment to report server local groups in
> > > > SSRS 2000? if so, how? I can't do it.
> > > >
> > > > Thanks
> > > > Alex
> > > >
> > > >
> > > >|||I think after reading youtr post again I can set the permission within the
report as well. I think I understand now.
Regards,
Samson
"Samson" wrote:
> That is good news. I guess my question is how. I created 3 users groups,
> sales, techs, payroll.
> How do I set the permission on the particular folder that holds the reports?
>
> --
> Regards,
> Samson
>
> "Logicalman" wrote:
> > Samson,
> >
> > Yes, you simply add the user to the group having permission on that report.
> > Be aware though, that by adding the user to that group he/she will then be
> > able to view ALL reports that particular group has permissions to.
> > example.
> > Report 1
> > Report 2
> > Report 3
> > Report 4
> >
> > Group A
> > Group B
> >
> > If Group A is given permission to browse Reports 1 and 2, and Group B is
> > given permission to view Reports 2,3 and 4.
> > By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
> > adding User z to Group B he/she will have access to Reports 2,3 and 4.
> >
> > If you want User Y to view Report 2 only, and no other Reports, then you
> > will need to either add that user directly to Report 2, or create a new Group
> > C, and assign permissions to Group C to view Report 2.
> > Again, such Gropus may be part of the Active Directory or the Server.
> >
> > I hope this clears up any ambiguity.
> >
> >
> > "Samson" wrote:
> >
> > > Is is possible to restrict group rights per report using domain groups.
> > >
> > > If I want a particular user to be able to view one or two reports and those
> > > alone without viewing other reports, how would I attempt this. Say I want
> > > only Sales see the sales reports, payroll to see only payroll, Tech Support
> > > to see Tech Support and etc...
> > >
> > > is this possible?
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Samson
> > >
> > >
> > > "Logicalman" wrote:
> > >
> > > > I managed to set local group policy only by adding the users to a
> > > > server-level group and then assign that group permissions. The same can be
> > > > done by adding individual accounts to the server itself, but I was unable to
> > > > create groups within RS itself.
> > > >
> > > > Hope this assists,
> > > >
> > > > "Alex" wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Is it possible to grant role assignment to report server local groups in
> > > > > SSRS 2000? if so, how? I can't do it.
> > > > >
> > > > > Thanks
> > > > > Alex
> > > > >
> > > > >
> > > > >
Is it possible to grant role assignment to report server local groups in
SSRS 2000? if so, how? I can't do it.
Thanks
AlexI managed to set local group policy only by adding the users to a
server-level group and then assign that group permissions. The same can be
done by adding individual accounts to the server itself, but I was unable to
create groups within RS itself.
Hope this assists,
"Alex" wrote:
> Hi,
> Is it possible to grant role assignment to report server local groups in
> SSRS 2000? if so, how? I can't do it.
> Thanks
> Alex
>
>|||Is is possible to restrict group rights per report using domain groups.
If I want a particular user to be able to view one or two reports and those
alone without viewing other reports, how would I attempt this. Say I want
only Sales see the sales reports, payroll to see only payroll, Tech Support
to see Tech Support and etc...
is this possible?
Regards,
Samson
"Logicalman" wrote:
> I managed to set local group policy only by adding the users to a
> server-level group and then assign that group permissions. The same can be
> done by adding individual accounts to the server itself, but I was unable to
> create groups within RS itself.
> Hope this assists,
> "Alex" wrote:
> > Hi,
> >
> > Is it possible to grant role assignment to report server local groups in
> > SSRS 2000? if so, how? I can't do it.
> >
> > Thanks
> > Alex
> >
> >
> >|||Samson,
Yes, you simply add the user to the group having permission on that report.
Be aware though, that by adding the user to that group he/she will then be
able to view ALL reports that particular group has permissions to.
example.
Report 1
Report 2
Report 3
Report 4
Group A
Group B
If Group A is given permission to browse Reports 1 and 2, and Group B is
given permission to view Reports 2,3 and 4.
By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
adding User z to Group B he/she will have access to Reports 2,3 and 4.
If you want User Y to view Report 2 only, and no other Reports, then you
will need to either add that user directly to Report 2, or create a new Group
C, and assign permissions to Group C to view Report 2.
Again, such Gropus may be part of the Active Directory or the Server.
I hope this clears up any ambiguity.
"Samson" wrote:
> Is is possible to restrict group rights per report using domain groups.
> If I want a particular user to be able to view one or two reports and those
> alone without viewing other reports, how would I attempt this. Say I want
> only Sales see the sales reports, payroll to see only payroll, Tech Support
> to see Tech Support and etc...
> is this possible?
>
> --
> Regards,
> Samson
>
> "Logicalman" wrote:
> > I managed to set local group policy only by adding the users to a
> > server-level group and then assign that group permissions. The same can be
> > done by adding individual accounts to the server itself, but I was unable to
> > create groups within RS itself.
> >
> > Hope this assists,
> >
> > "Alex" wrote:
> >
> > > Hi,
> > >
> > > Is it possible to grant role assignment to report server local groups in
> > > SSRS 2000? if so, how? I can't do it.
> > >
> > > Thanks
> > > Alex
> > >
> > >
> > >|||That is good news. I guess my question is how. I created 3 users groups,
sales, techs, payroll.
How do I set the permission on the particular folder that holds the reports?
Regards,
Samson
"Logicalman" wrote:
> Samson,
> Yes, you simply add the user to the group having permission on that report.
> Be aware though, that by adding the user to that group he/she will then be
> able to view ALL reports that particular group has permissions to.
> example.
> Report 1
> Report 2
> Report 3
> Report 4
> Group A
> Group B
> If Group A is given permission to browse Reports 1 and 2, and Group B is
> given permission to view Reports 2,3 and 4.
> By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
> adding User z to Group B he/she will have access to Reports 2,3 and 4.
> If you want User Y to view Report 2 only, and no other Reports, then you
> will need to either add that user directly to Report 2, or create a new Group
> C, and assign permissions to Group C to view Report 2.
> Again, such Gropus may be part of the Active Directory or the Server.
> I hope this clears up any ambiguity.
>
> "Samson" wrote:
> > Is is possible to restrict group rights per report using domain groups.
> >
> > If I want a particular user to be able to view one or two reports and those
> > alone without viewing other reports, how would I attempt this. Say I want
> > only Sales see the sales reports, payroll to see only payroll, Tech Support
> > to see Tech Support and etc...
> >
> > is this possible?
> >
> >
> > --
> > Regards,
> >
> > Samson
> >
> >
> > "Logicalman" wrote:
> >
> > > I managed to set local group policy only by adding the users to a
> > > server-level group and then assign that group permissions. The same can be
> > > done by adding individual accounts to the server itself, but I was unable to
> > > create groups within RS itself.
> > >
> > > Hope this assists,
> > >
> > > "Alex" wrote:
> > >
> > > > Hi,
> > > >
> > > > Is it possible to grant role assignment to report server local groups in
> > > > SSRS 2000? if so, how? I can't do it.
> > > >
> > > > Thanks
> > > > Alex
> > > >
> > > >
> > > >|||I think after reading youtr post again I can set the permission within the
report as well. I think I understand now.
Regards,
Samson
"Samson" wrote:
> That is good news. I guess my question is how. I created 3 users groups,
> sales, techs, payroll.
> How do I set the permission on the particular folder that holds the reports?
>
> --
> Regards,
> Samson
>
> "Logicalman" wrote:
> > Samson,
> >
> > Yes, you simply add the user to the group having permission on that report.
> > Be aware though, that by adding the user to that group he/she will then be
> > able to view ALL reports that particular group has permissions to.
> > example.
> > Report 1
> > Report 2
> > Report 3
> > Report 4
> >
> > Group A
> > Group B
> >
> > If Group A is given permission to browse Reports 1 and 2, and Group B is
> > given permission to view Reports 2,3 and 4.
> > By adding User X to Broup A, he/she will have access to Reports 1 and 2, by
> > adding User z to Group B he/she will have access to Reports 2,3 and 4.
> >
> > If you want User Y to view Report 2 only, and no other Reports, then you
> > will need to either add that user directly to Report 2, or create a new Group
> > C, and assign permissions to Group C to view Report 2.
> > Again, such Gropus may be part of the Active Directory or the Server.
> >
> > I hope this clears up any ambiguity.
> >
> >
> > "Samson" wrote:
> >
> > > Is is possible to restrict group rights per report using domain groups.
> > >
> > > If I want a particular user to be able to view one or two reports and those
> > > alone without viewing other reports, how would I attempt this. Say I want
> > > only Sales see the sales reports, payroll to see only payroll, Tech Support
> > > to see Tech Support and etc...
> > >
> > > is this possible?
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Samson
> > >
> > >
> > > "Logicalman" wrote:
> > >
> > > > I managed to set local group policy only by adding the users to a
> > > > server-level group and then assign that group permissions. The same can be
> > > > done by adding individual accounts to the server itself, but I was unable to
> > > > create groups within RS itself.
> > > >
> > > > Hope this assists,
> > > >
> > > > "Alex" wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Is it possible to grant role assignment to report server local groups in
> > > > > SSRS 2000? if so, how? I can't do it.
> > > > >
> > > > > Thanks
> > > > > Alex
> > > > >
> > > > >
> > > > >
Monday, February 20, 2012
Local Admin Rights
Quick question...
Are members of the servers local admins group by default
members of the sysadmins role'
If so, does a login account still need to be made on the
sql server in order for that user to function properly
within sql?
thanks.Hi,
Yes, But default the BUILDIN\Administrators will be having 'sysadmin' SQL
Serevr server role.
Obviously you can use this accout to access sql server.
Since this user is powerful it is not safe to provide this Login id to
Developers. So is always advisable to create a group specifically meant for
developers with less privileges.
Thanks
Hari
MCDBA
"JRD" <anonymous@.discussions.microsoft.com> wrote in message
news:98ca01c3ea6f$05b73cb0$a601280a@.phx.gbl...
Are members of the servers local admins group by default
members of the sysadmins role'
If so, does a login account still need to be made on the
sql server in order for that user to function properly
within sql?
thanks.Hi,
Yes, But default the BUILDIN\Administrators will be having 'sysadmin' SQL
Serevr server role.
Obviously you can use this accout to access sql server.
Since this user is powerful it is not safe to provide this Login id to
Developers. So is always advisable to create a group specifically meant for
developers with less privileges.
Thanks
Hari
MCDBA
"JRD" <anonymous@.discussions.microsoft.com> wrote in message
news:98ca01c3ea6f$05b73cb0$a601280a@.phx.gbl...
quote:
> Quick question...
> Are members of the servers local admins group by default
> members of the sysadmins role'
> If so, does a login account still need to be made on the
> sql server in order for that user to function properly
> within sql?
> thanks.
Local Admin group necessary for DBA's?
Assume that the DBA's windows login is in the sysadmin fixed server role, if
a DBA uses Windows Authentication to manage a SQL Server Enteriprise
(6.5,7.0,200), are there any problems with removing the DBA's account from
the local administrators group of each SQL Server?
Any supporting documentation or articles for removing the DBA from the admin
Group?
Any expected annoyances for the DBA?Hi,
You can't restrict the OS administrators fully, because they have full
rights on all folders and registry keys inwhich SQL server resides.
But, you can restrict them to an extend by removing "System Admin" role
from BUILTIN/ADMINISTRATORS account.
" I had problems in the below when I removed "Syadmin role" from
BuildIN/Administrators. So I have given back the sysadmin role to solve the
issue.
1. FULL Text Indexing
2. Maintenance Plans
So do a test in test server for couple of weeks and then implement in
Production server.
Known issues after removal , Some things to be aware of:
Q237604 PRB: SQL Server Agent Does Not Start and Displays Error 18456
Q295034 FIX: MSSearch Takes 100% CPU if BUILTIN\Administrators Removed
Q317746 PRB: SQL Server Full-Text Search Does Not Populate Catalogs "
Did i answer ur question?
Thanks
Hari
SQL Server MVP
"Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
> Assume that the DBA's windows login is in the sysadmin fixed server role,
> if
> a DBA uses Windows Authentication to manage a SQL Server Enteriprise
> (6.5,7.0,200), are there any problems with removing the DBA's account from
> the local administrators group of each SQL Server?
> Any supporting documentation or articles for removing the DBA from the
> admin
> Group?
> Any expected annoyances for the DBA?|||No, the question I'm really trying to answer is regarding removing the DBA's
windows account from the Local Administrators Group on the the server.
"Hari Prasad" wrote:
> Hi,
> You can't restrict the OS administrators fully, because they have full
> rights on all folders and registry keys inwhich SQL server resides.
> But, you can restrict them to an extend by removing "System Admin" role
> from BUILTIN/ADMINISTRATORS account.
>
> " I had problems in the below when I removed "Syadmin role" from
> BuildIN/Administrators. So I have given back the sysadmin role to solve t
he
> issue.
> 1. FULL Text Indexing
> 2. Maintenance Plans
> So do a test in test server for couple of weeks and then implement in
> Production server.
> Known issues after removal , Some things to be aware of:
> Q237604 PRB: SQL Server Agent Does Not Start and Displays Error 18456
> Q295034 FIX: MSSearch Takes 100% CPU if BUILTIN\Administrators Removed
> Q317746 PRB: SQL Server Full-Text Search Does Not Populate Catalogs "
> Did i answer ur question?
> --
> Thanks
> Hari
> SQL Server MVP
> "Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
> news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
>
>|||We have this situation on some servers and it works to varying degree's.
There are "annoyances" - you have to work closely with the Windows admins to
define the required shares so that the DBA's can manage database
files,backups,logs etc. Management of a server "by committee" is tricky so
make sure you have the processes in place for the windows + sql admins to be
able to do their jobs. And remember that if the SQL Server Service account
is a member of the local admins group on the server so are the DBA's (via
xp_cmdshell) regardless of whether they are in the local admins group or not
HTH
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
> Assume that the DBA's windows login is in the sysadmin fixed server role,
> if
> a DBA uses Windows Authentication to manage a SQL Server Enteriprise
> (6.5,7.0,200), are there any problems with removing the DBA's account from
> the local administrators group of each SQL Server?
> Any supporting documentation or articles for removing the DBA from the
> admin
> Group?
> Any expected annoyances for the DBA?
a DBA uses Windows Authentication to manage a SQL Server Enteriprise
(6.5,7.0,200), are there any problems with removing the DBA's account from
the local administrators group of each SQL Server?
Any supporting documentation or articles for removing the DBA from the admin
Group?
Any expected annoyances for the DBA?Hi,
You can't restrict the OS administrators fully, because they have full
rights on all folders and registry keys inwhich SQL server resides.
But, you can restrict them to an extend by removing "System Admin" role
from BUILTIN/ADMINISTRATORS account.
" I had problems in the below when I removed "Syadmin role" from
BuildIN/Administrators. So I have given back the sysadmin role to solve the
issue.
1. FULL Text Indexing
2. Maintenance Plans
So do a test in test server for couple of weeks and then implement in
Production server.
Known issues after removal , Some things to be aware of:
Q237604 PRB: SQL Server Agent Does Not Start and Displays Error 18456
Q295034 FIX: MSSearch Takes 100% CPU if BUILTIN\Administrators Removed
Q317746 PRB: SQL Server Full-Text Search Does Not Populate Catalogs "
Did i answer ur question?
Thanks
Hari
SQL Server MVP
"Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
> Assume that the DBA's windows login is in the sysadmin fixed server role,
> if
> a DBA uses Windows Authentication to manage a SQL Server Enteriprise
> (6.5,7.0,200), are there any problems with removing the DBA's account from
> the local administrators group of each SQL Server?
> Any supporting documentation or articles for removing the DBA from the
> admin
> Group?
> Any expected annoyances for the DBA?|||No, the question I'm really trying to answer is regarding removing the DBA's
windows account from the Local Administrators Group on the the server.
"Hari Prasad" wrote:
> Hi,
> You can't restrict the OS administrators fully, because they have full
> rights on all folders and registry keys inwhich SQL server resides.
> But, you can restrict them to an extend by removing "System Admin" role
> from BUILTIN/ADMINISTRATORS account.
>
> " I had problems in the below when I removed "Syadmin role" from
> BuildIN/Administrators. So I have given back the sysadmin role to solve t
he
> issue.
> 1. FULL Text Indexing
> 2. Maintenance Plans
> So do a test in test server for couple of weeks and then implement in
> Production server.
> Known issues after removal , Some things to be aware of:
> Q237604 PRB: SQL Server Agent Does Not Start and Displays Error 18456
> Q295034 FIX: MSSearch Takes 100% CPU if BUILTIN\Administrators Removed
> Q317746 PRB: SQL Server Full-Text Search Does Not Populate Catalogs "
> Did i answer ur question?
> --
> Thanks
> Hari
> SQL Server MVP
> "Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
> news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
>
>|||We have this situation on some servers and it works to varying degree's.
There are "annoyances" - you have to work closely with the Windows admins to
define the required shares so that the DBA's can manage database
files,backups,logs etc. Management of a server "by committee" is tricky so
make sure you have the processes in place for the windows + sql admins to be
able to do their jobs. And remember that if the SQL Server Service account
is a member of the local admins group on the server so are the DBA's (via
xp_cmdshell) regardless of whether they are in the local admins group or not
HTH
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
> Assume that the DBA's windows login is in the sysadmin fixed server role,
> if
> a DBA uses Windows Authentication to manage a SQL Server Enteriprise
> (6.5,7.0,200), are there any problems with removing the DBA's account from
> the local administrators group of each SQL Server?
> Any supporting documentation or articles for removing the DBA from the
> admin
> Group?
> Any expected annoyances for the DBA?
Subscribe to:
Posts (Atom)