is it possible to deactivate the groups admins and domain-admins in sql server without getting in trouble with the sql-server. For example when the system boots the program should start normally without any problems.
We want do deactivate the accounts because we have some critical information in sql server and dont want to give all admins the possibility to have a look at these data.
We just want to have sa within the role sysadmin.
Regards
Franz
You can drop the BUILTIN\Adminstrators group from the sql logins. Make sure you have the password to sa as you don't want to leave yourself with no sysadmin login.
Remember, if you're using SQL Agent, the service account it runs under does need to be a sysadmin in sql.
HTH!
|||Thank you for the answer.Yes we are using the SQL Agent. If i give the account the role sysadmin, an administrator has the possibility to give it an new password and can then see all information.
Is there really no chance to deactivate the accounts?
We also have an SQL Cluster is there any further account needed?
If i have no chance to deactivate those accounts generally without giving some special acoounts the sysadmin role, is it a method to deactivate the accounts and when i have to reboot or start the services to give them temporarely the sysadmin role?
Regards
Franz
|||
The SQL Agent Service is a sysadmin by design. In a future version we may be able to modify the design to make SQL Agent not have to be a sysadmin but that doesn't help you today.
Removing builtin\administrator is probably the best you can do.
HTH,
-Steven Gott
SDE/T
SQL Server
No comments:
Post a Comment