I am new to SQL Server, and I have been tasked with setting permissions on a remote server. What I need to do is limit the domain admin from having access to any of the DB's on a particular server. How can I accomplish this?
Remove BUILTIN/Administrators from the SA group.
Important! Before you do this make absolutley sure you have either:
the password for the "sa" account
or
your domain account is a member of the sysadmin server role
Otherwise you might find yourself locked out of the server.. not that this has ever happened to me.. ;-)
Related
On my Windows machine, SQL Server was installed for a single user by mistake and I am not able to see the SQL Server database under Database Engine in local databases.
Can anyone please help me to access the SQL Server for all Windows account users on that machine?
Personally, I don't think that having EVERY user have sysadmin privileges on a a SQL Server is a good idea. I don't know who has access to your Server/Computer, however, it means that anyone can do whatever they want on that server, including revoking the sysadmin rights of everyone else.
Anyway, if you have to do this, the easiest way would be the use localhost's Users group, and create a login for that.
USE master;
GO
CREATE LOGIN Users FROM WINDOWS WITH DEFAULT_DATABASE = [master];
GO
ALTER SERVER ROLE sysadmin ADD MEMBER Users;
GO
Personally, however, Iwould recommend you, instead, create Login's for each user and grant them appropriate permissions (not sysadmin). Not everyone needs sysadmin privileges, and it's a bad idea for everyone to have them.
While disabling the logins of a server, I mistakenly disabled sysadmin logins as well. Now, none of the sysadmins can login. It would be helpful if anyone can suggest me the alternative to revert back the changes or to enable the sysadmin logins again.
This would be of great help. Thank you. :)
Put SQL Server into Single User Mode. You will need to do this as a local administrator on the server where SQL Server is running.
This mode allows only a single account to connect. If the account is a local administrator on the server, you will have permission to re-add an account back into the sysadmin group. You must then restart SQL Server back into multi-user mode.
Detailed instructions are provided here.
i have a website hosted on GoDaddy and I need to create a database for it. So headed to the Databases section and created a MS SQL Database then on my local pc I tried to access the database via SQL Server Management studio, I was able to login to the database but I cannot make any operations. I get it does not exist or you do not have permission. So deciced to go the Security tab, then Login and tried to change my username that I'm using to systemadmin role but I also got Cannot alter the server role 'sysadmin', because it does not exist or you do not have permission. What could be the problem? There are no other accounts on it. The default sa account is disbaled and I can't enable it coz it will prompt no permissions etc.
I don't understand it. Why GoDaddy allows me to create a database but with no permissions or rather I cannot alter it. Anyone facing the same issue? Thanks
Well it's quite clear. You cannot set yourself as an SA. This would be a great security breach!
You need to add a Login in your database for your account. I think you headed to the server logins. The server login seem to be ok, as you already said. You can connect to the server itself. You need to add a login or a loginmapping to your server login inside your database.
I don't know the backend of goDaddy, but I'm pretty sure that you have some credentials provided after creating your database.
I've a user account on a development SQL express on a remote server. This account has all privileges granted to it but when I use SQL express remotely then I'm not able to make changes to tables. If I log into the virtual machine and sign in with same user I can make changes.
It says I'm not database owner or system administrator. I think I may need to use ownership chaining or somehow designate my user account as administrator?
Thanks.
This is what I'm seeing:
http://fogcreek.com/FogBugz/kb/errors/SysAdminRole.html
I'm using SQL Server Authentication but I'm not the owner but have 'grant' all rights.
Got it! This explains how I can add my user to the appropriate role and that fixes the problem.
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-1061781.html?tag=mantle_skin
I am a beginner in database field and this question might sound too stupid but I want to know why there is a login called sa and can I delete it?
I want to delete it because it seems to have pretty serious privileges on database server!
If it matters, I am using SQL Server Express 2008.
You can't remove the sa account but you can rename and/or disable it. Arguably this is good practice as otherwise you have a known username that an attacker could launch a brute force password attack against.
Just make sure if you disable the sa account that you have another account with administrator privileges.
sa is the admin account! do not delete it, give it a strong password that you provide to no one except the database admin and a backup person.
sa is the main administrator account, it was the owner of master database (holding data for user roles,schema,etc), so it can't be deleted.
just change the password (and i think it was asked in installation progress) and create guest/public account with more restrictive privileges for use with your application a.k.a don't use sa in your application (application you develop)
Also, dependent on your environment you can just turn off SQL Server Authentication whatsoever.
There are two types of authentication supported by SQL Server - Windows Authentication and SQL Authentication - you can have both or one of them active. If you switch off SQL Authentication then only valid Windows (as defined in the system) users will be able to use the server (normal permissions still apply, so each account has to be added to SQL Server as well, the fact that somebody has an account in the system doesn't mean they can access the SQL Server instance).
You can configure this in the server settings from the Management Studio.
Never do it . To understand more appropiately please refer http://blog.sqlauthority.com/2008/12/24/sql-server-disable-and-enable-user-sa/