Assume that the DBA's windows login is in the sysadmin fixed server role, if
a DBA uses Windows Authentication to manage a SQL Server Enteriprise
(6.5,7.0,200), are there any problems with removing the DBA's account from
the local administrators group of each SQL Server?
Any supporting documentation or articles for removing the DBA from the admin
Group?
Any expected annoyances for the DBA?Hi,
You can't restrict the OS administrators fully, because they have full
rights on all folders and registry keys inwhich SQL server resides.
But, you can restrict them to an extend by removing "System Admin" role
from BUILTIN/ADMINISTRATORS account.
" I had problems in the below when I removed "Syadmin role" from
BuildIN/Administrators. So I have given back the sysadmin role to solve the
issue.
1. FULL Text Indexing
2. Maintenance Plans
So do a test in test server for couple of weeks and then implement in
Production server.
Known issues after removal , Some things to be aware of:
Q237604 PRB: SQL Server Agent Does Not Start and Displays Error 18456
Q295034 FIX: MSSearch Takes 100% CPU if BUILTIN\Administrators Removed
Q317746 PRB: SQL Server Full-Text Search Does Not Populate Catalogs "
Did i answer ur question?
Thanks
Hari
SQL Server MVP
"Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
> Assume that the DBA's windows login is in the sysadmin fixed server role,
> if
> a DBA uses Windows Authentication to manage a SQL Server Enteriprise
> (6.5,7.0,200), are there any problems with removing the DBA's account from
> the local administrators group of each SQL Server?
> Any supporting documentation or articles for removing the DBA from the
> admin
> Group?
> Any expected annoyances for the DBA?|||No, the question I'm really trying to answer is regarding removing the DBA's
windows account from the Local Administrators Group on the the server.
"Hari Prasad" wrote:
> Hi,
> You can't restrict the OS administrators fully, because they have full
> rights on all folders and registry keys inwhich SQL server resides.
> But, you can restrict them to an extend by removing "System Admin" role
> from BUILTIN/ADMINISTRATORS account.
>
> " I had problems in the below when I removed "Syadmin role" from
> BuildIN/Administrators. So I have given back the sysadmin role to solve t
he
> issue.
> 1. FULL Text Indexing
> 2. Maintenance Plans
> So do a test in test server for couple of weeks and then implement in
> Production server.
> Known issues after removal , Some things to be aware of:
> Q237604 PRB: SQL Server Agent Does Not Start and Displays Error 18456
> Q295034 FIX: MSSearch Takes 100% CPU if BUILTIN\Administrators Removed
> Q317746 PRB: SQL Server Full-Text Search Does Not Populate Catalogs "
> Did i answer ur question?
> --
> Thanks
> Hari
> SQL Server MVP
> "Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
> news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
>
>|||We have this situation on some servers and it works to varying degree's.
There are "annoyances" - you have to work closely with the Windows admins to
define the required shares so that the DBA's can manage database
files,backups,logs etc. Management of a server "by committee" is tricky so
make sure you have the processes in place for the windows + sql admins to be
able to do their jobs. And remember that if the SQL Server Service account
is a member of the local admins group on the server so are the DBA's (via
xp_cmdshell) regardless of whether they are in the local admins group or not
HTH
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"Johnnie Scott" <JohnnieScott@.discussions.microsoft.com> wrote in message
news:84A82B7C-6244-45C1-94A2-C64DE85C31FD@.microsoft.com...
> Assume that the DBA's windows login is in the sysadmin fixed server role,
> if
> a DBA uses Windows Authentication to manage a SQL Server Enteriprise
> (6.5,7.0,200), are there any problems with removing the DBA's account from
> the local administrators group of each SQL Server?
> Any supporting documentation or articles for removing the DBA from the
> admin
> Group?
> Any expected annoyances for the DBA?
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment