หน้าหลัก Library เรียนรู้ ดาวน์โหลด การสนับสนุน ชุมชน ฟอรัม
Microsoft Developer Network >
Builtin/Administrators

Answered Builtin/Administrators

  • 13 เมษายน 2555 20:00
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    Hello All,

    I am trying to disable the builtin/administratirs group.I have 6 accounts in this group.Out of those 6 accounts I only need 1 account with full permissions and disable rest of the 5 accounts.Because we are using that particular account to run all the daily backups and schedules and that 1 account is really important.How to achieve this. In brief what I want to do is remove the sysadmin permissions/disable the 5 accounts from the group and leave the full permissions to 1 account.Any help is much appreciated.

    Thanks

     

ตอบทั้งหมด

  • 13 เมษายน 2555 20:15
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    1

    Remove Sysadmin permission from Builtin\Administrator group and explictly grant account or windows login  syadmin permission.

     
  • 13 เมษายน 2555 20:55
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    or remove Builtin\Admistrators group completely.

    in SQL 2008 (R2) and later this predefined group does no longer exists.

    But don't forget to assign the effective database administrator the sysadmin privilege before deleting Builtin\Administrators otherwise you've a little problem when sa account is disabled.




    • แก้ไขโดย Daniel_Steiner 13 เมษายน 2555 20:56
    • แก้ไขโดย Daniel_Steiner 13 เมษายน 2555 20:56
    • แก้ไขโดย Daniel_Steiner 13 เมษายน 2555 21:15
    •  
     
  • 13 เมษายน 2555 21:45
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    I think it is easy to remove that group. But I want 1 user from that group still active with full permissions. I can create an other login explicitly for this user..But I am just scared to delete the group and then create explicitly the account.Because that 1 account is really critical and important.Is there any way we can just disable the group so that I can create explicitly the other account and if that doesn't work I can go back and enable that builtin/administrators group.

    Please suggest.

     
  • 13 เมษายน 2555 22:00
     
     คำตอบ
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    If you feel more comfortable, you can do

    ALTER LOGIN [Builtin\Administrators] DISABLE

    But it is not really much different than dropping the group altogether, and then re-adding it later.

    Before you have dropped BUILTIN\Administrators, you should have created an account for yourself with membership in the sysadmin role.

    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
     
  • 16 เมษายน 2555 15:54
     
     คำตอบ
    ลงชื่อเข้าใช้เพื่อโหวต
    0
    Also, you should understand that though you can (and perhaps should) remove the builtin\Administrators login so they don't have routine access as sysadmin's, you cannot permanently lock them out. Members of the local administrators group can always access SQL Server, though they access can be audited. For more information, see Troubleshooting: Connecting to SQL Server When System Administrators Are Locked Out

    Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty

     
© 2013 Microsoft. All rights reserved.