I couldn't find anything about Builtin\Administrators in the Microsoft Best
Practices checklist, but MBSA reports that it is part of the sysadmin role
and apparently should not be. I started to research this and see that a lot
of people are going so far as to remove the account altogether from SQL
Server with varying results in an effort to prevent system administrators
from gaining the same access as the DBA. I am confused about the differing
opinions and am wondering if there is some definitive guide to handling this
account to meet Sarbanes-Oxley objectives.
In our particular environment, there are only 4 people in our IT staff and
we intend for two of them, the DBA and the senior sys admin, to have access
-
the senior sys admin in more of a back-up context for the DBA but also as
overall responsibility for the server. We would like to exclude the other
two staff. The senior sys admin's plan is reserve knowledge of the System
Administrator account login only to himself but to put the other staff in an
NT group with at least some administrative rights (so that they can
troubleshoot systems from a support perspective - beyond that, I don't know
the details of his plan).
To accomplish this, will it be enough to remove the Builtin\Administrators
account from the sysadmins role or is there some reason to remove the accoun
t
completely?The reason that most people want to change the Builtin Admin group is that
it is based upon the
Administrators group. Therefore, all Windows Admins are SQL Admins (system
administrators).
Changing the SQL Admins just merely moves this to another NT group. If the
NT admin really wants to be a system
admin, they can merely add themselves to this new group.
See the following kb for more info;
263712 INF: How to impede Windows NT administrators from administering a
http://support.microsoft.com/?id=263712
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment