Thursday, February 16, 2012

BUILTIN\Administrators

Is there any way to deny access to BUILTIN\Administrators on just one databa
se.
Very highly confidential databse and want to deny the access to
BUILTIN\Administrators.
Thanks
AndyYou can add "trusted" logins to the sysadmin role and then remove
BUILTIN\Administrators from the sysadmin role (as long as you're not using a
clustered instance). Only those people who should have access to the
sensitive DB should be in the sysadmin role. Anyone who is in the sysadmin
role has access to the entire SQL Server instance - including all DB's.
Tom
----
Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
SQL Server MVP
Columnist, SQL Server Professional
Toronto, ON Canada
www.pinpub.com
"Andy" <Andy@.discussions.microsoft.com> wrote in message
news:D366F47F-016C-408E-8D7B-D6C92DA613B7@.microsoft.com...
> Is there any way to deny access to BUILTIN\Administrators on just one
> database.
> Very highly confidential databse and want to deny the access to
> BUILTIN\Administrators.
> Thanks
> Andy|||You should follow Tom's suggestion, EVEN ON A CLUSTERED INSTANCE. You just
have to make sure the Cluster Service and SQL Server services accounts have
been granted access.
If you can not get away with actually removing the BUILTIN\Administrators
group, you can certainly remove the group login from the System
Administrators server role and remove it as a user from all databases.
Then, you can assign the login as a user in whatever databases you DO want
to them to have access to and for whatever permissions you want them
restricted to.
Sincerely,
Anthony Thomas
"Tom Moreau" <tom@.dont.spam.me.cips.ca> wrote in message
news:eynSYDD2FHA.3204@.TK2MSFTNGP14.phx.gbl...
> You can add "trusted" logins to the sysadmin role and then remove
> BUILTIN\Administrators from the sysadmin role (as long as you're not using
a
> clustered instance). Only those people who should have access to the
> sensitive DB should be in the sysadmin role. Anyone who is in the
sysadmin
> role has access to the entire SQL Server instance - including all DB's.
> --
> Tom
> ----
> Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
> SQL Server MVP
> Columnist, SQL Server Professional
> Toronto, ON Canada
> www.pinpub.com
> "Andy" <Andy@.discussions.microsoft.com> wrote in message
> news:D366F47F-016C-408E-8D7B-D6C92DA613B7@.microsoft.com...
>
Posted by Lamont at 10:35 PM
Labels: , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)