Thursday, February 16, 2012

BuiltinAdministrator's not SysAdmin yet appear to have DBO on all

Hi All,
I have revoked the BUILTIN\Administrators group membership in the SysAdmin
group of a SQL 2000 server and instead granted the group Process
Admoinistrators and Disk Administrators permissions. When I browse
permissions for the BUILTIN\Administrators group in EM, I see the proper
Server Roles are defined as noted above, however this group appears to have
DBO permissions to all databases on the server, even though those databases
were created by SA. In checking several of my SQL servers I am also seeing
the same thing on each server. Have people seen this before? This would
imply that the Local Admins to the box stil have dbo to all of the databases
,
but they were never granted this permission. Is this just in incorrect
representation within EM?
Thanks,
DaveNo...that's not what would typically happen if you remove
the Builtin\administrators group.
I'm guessing that you mean that the local admins appear to
have db_owner role permissions DBO and db_owner are
different things. DBO is a user and db_owner is a database
role. Users can be members of db_owner fixed database role
which gives them all permissions in the database.
I'm not sure why you think the local admins on the server
have db_owner permissions but one thing to keep in mind is
that permissions are cumulative based upon the users
explicit permissions as well as those inherited from group
membership (Windows groups as well as the server and
database groups).
-Sue
On Sun, 23 Jan 2005 06:33:03 -0800, "DBADave"
<DBADave@.discussions.microsoft.com> wrote:

>Hi All,
>I have revoked the BUILTIN\Administrators group membership in the SysAdmin
>group of a SQL 2000 server and instead granted the group Process
>Admoinistrators and Disk Administrators permissions. When I browse
>permissions for the BUILTIN\Administrators group in EM, I see the proper
>Server Roles are defined as noted above, however this group appears to have
>DBO permissions to all databases on the server, even though those databases
>were created by SA. In checking several of my SQL servers I am also seein
g
>the same thing on each server. Have people seen this before? This would
>imply that the Local Admins to the box stil have dbo to all of the database
s,
>but they were never granted this permission. Is this just in incorrect
>representation within EM?
>Thanks,
>Dave
Posted by Lamont at 10:38 PM
Labels: , , , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)