none
SSRS - BUILTIN\Administrators account issue

    Question

  • Hello,

    We have a Dell PowerEdge running Windows 2003 Server Std Edition R2 SP1.  On this machine we have installed SQL 2005 Std Edition (unclustered) running v.9.00.2047.00.


    The SQL components installed are the database engine, SSRS, SSAS, SSIS.  All of these components work correctly apart from an issue with SSRS security.

    The problem appears to be with the BUILTIN\Administrator account.  When we open SSRS in Management Studio, right-click Home and click Properties from the menu we have:

    • A security group called ‘domain\xyz’
      • created in Active Directory and contain around 50 users
      • The permissions assigned to the security group are: ‘Browser’ only (check-box).
    • BUILTIN\Administrators
      • this was there by default
      • The permissions assigned are: ‘Content Manager’ only (check-box).
    • Another security group called ‘domain\abc’
      • Created in Active Directory and contain SuperUsers (5 people)
      • The permissions assigned are: ‘Content Manager’ only (check-box).

    We would expect to browse to the SSRS site, e.g. http://<servername>/reports and depending on the membership status for the user accessing the reports site, i.e. if I am a member of xyz or abc, then I should be able to:

    • If ‘xyz’ : Browse (read only) reports;
    • If ‘abc’ : Adminster the reports (add/remove/amend) report(s). 

    The problem we have is that we think the BUILTIN\Administrators account is overriding the other two Security groups in the list (as mentioned above).  The outcome is that no matter if you are a member of abc or xyz you have Administrative permissions on the reports site.

    What we did recently is that we deselected ‘Content Manager’ for BUILTIN\Administrators and found that the ‘abc’ and ‘xyz’ members could only Browse, but the ‘abc’ users should also be able to Administer the reports site.

    This echoes the fact that the BUILTIN\Administrators account overrides the permissions for ‘abc’ and ‘xyz’.


    Please can someone help us?

    Thursday, June 04, 2009 9:20 AM

Answers

  • I am confused. Are you saying that a user that is in one of these groups but is not in the local Administrators group is getting the permissions for the Administrators group?
     
    I have a variety of users/groups that get different permissions. I have never seen the problem you are specifying and I have never seen anyone post such a problem. My guess is that the local Administrators group has some domain group assigned to it that the user in question is a member of. If a user or group is assigned different roles in RS then it acts just like it would for file system protection. I.e. administrator overrides everything else.
     

    --
    Bruce Loehle-Conger
    MVP SQL Server Reporting Services
    "SachinC" wrote in message news:4a676bbc-4acb-4af 9-9f17-70e2fc575c99...

    Hello,

    We have a Dell PowerEdge running Windows 2003 Server Std Edition R2 SP1.  On this machine we have installed SQL 2005 Std Edition (unclustered) running v.9.00.2047.00.


    The SQL components installed are the database engine, SSRS, SSAS, SSIS.  All of these components work correctly apart from an issue with SSRS security.

    The problem appears to be with the BUILTIN\Administrator account.  When we open SSRS in Management Studio, right-click Home and click Properties from the menu we have:

    • A security group called ‘domain\xyz’
      • created in Active Directory and contain around 50 users
      • The permissions assigned to the security group are: ‘Browser’ only (check-box).
    • BUILTIN\Administrators
      • this was there by default
      • The permissions assigned are: ‘Content Manager’ only (check-box).
    • Another security group called ‘domain\abc’
      • Created in Active Directory and contain SuperUsers (5 people)
      • The permissions assigned are: ‘Content Manager’ only (check-box).

    We would expect to browse to the SSRS site, e.g. http://<servername>/reports and depending on the membership status for the user accessing the reports site, i.e. if I am a member of xyz or abc, then I should be able to:

    • If ‘xyz’ : Browse (read only) reports;
    • If ‘abc’ : Adminster the reports (add/remove/amend) report(s). 

    The problem we have is that we think the BUILTIN\Administrators account is overriding the other two Security groups in the list (as mentioned above).  The outcome is that no matter if you are a member of abc or xyz you have Administrative permissions on the reports site.

    What we did recently is that we deselected ‘Content Manager’ for BUILTIN\Administrators and found that the ‘abc’ and ‘xyz’ members could only Browse, but the ‘abc’ users should also be able to Administer the reports site.

    This echoes the fact that the BUILTIN\Administrators account overrides the permissions for ‘abc’ and ‘xyz’.


    Please can someone help us?

    Thursday, June 04, 2009 1:34 PM